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Thornton  A.  May  demonstrates  just  how  difficult  it  is  to 
manage  —  and  expunge  —  personal  information,  page  24 
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The  Business  of  Security 


SPECIAL 


REPORT 


IT  leaders 
are  taking 
a  more  busi¬ 
nesslike  approach 
to  security.  They’re 
using  cost-benefit 
analyses,  dashboards 
and  data  classifica¬ 
tion  to  ensure  that 
security  dollars  are 
spent  on  the  biggest 
risks.  Stories  begin  on 
page  27. 


IT  Execs  Take  Different 
Routes  on  Bird  Flu  Threat 

Fears  of  an  outbreak  prompt  continuity 
planning  by  some;  others  see  no  need 


BY  MATT  HAMBLEN 

The  answer  to  the  question  of 
whether  corporate  IT  depart¬ 
ments  would  be  ready  to  re¬ 
spond  if  an  avian  flu  pandemic 
hit  the  U.S.  is:  Maybe. 

Based  on  interviews  last 
week  with  13  CIOs,  business 


continuity  directors  and  IT 
management  consultants,  U.S. 
companies  continue  to  hold 
widely  divergent  views  on  the 
risk  that  a  flu  outbreak  could 
force  school  closings  or  broad 
quarantines  in  hard-hit  areas. 

Some  IT  leaders,  mainly  at 


large  companies,  said  they  are 
preparing  for  the  worst  in  an 
effort  to  avoid  being  left  short- 
staffed  or  unable  to  support 
vastly  increased  numbers  of 
telecommuters  on  their  net¬ 
works  if  a  pandemic  strikes. 

For  exam¬ 
ple,  Beneficial 
Financial 
Group  in  Salt 
Lake  City 
“is  seriously 
looking  into 
the  pandemic 


CIO  ELLEN 

has 

been  preparing 
for  a  pandemic 
for  six  months. 


issue,”  said 
CIO  Steve 
Terry.  “Since 
we  are  a  life 
insurance  company,  [being 
prepared]  makes  sense  for  us. 
We  have  to  have  the  capability 
to  continue  doing  business  if 
there  is  a  pandemic.” 

In  contrast,  several  other 

Bird  Flu,  page  56 


PUBLIC  EXPOSURE 


Counties  Post 
Personal  Data  in 
Documents 

Online  records  put  Social  Security 
numbers,  other  sensitive  info  in  open 


BY  JAIKUMAR  VIJAYAN 

ROWARD  COUNTY, 
Fla.,  Fort  Bend  Coun¬ 
ty,  Texas,  and  Mari¬ 
copa  County,  Ariz., 
have  something  in  common: 
In  recent  years,  they  have 
made  sensitive  per¬ 
sonal  information 
about  their  residents, 
such  as  Social  Secu¬ 
rity,  driver’s  license 
and  bank  account 
numbers,  available  to 
anyone  in  the  world 
with  Internet  access. 

And  they  aren’t 
alone  by  any  means.  The 
failure  to  remove  sensitive 
data  from  images  of  land 
records  and  other  public 
documents  posted  online  has 
made  county  government 


Web  sites  across  the  U.S.  a 
veritable  treasure  trove  of  in¬ 
formation  for  identity  thieves 
and  other  criminals,  several 
privacy  advocates  claimed 
last  week. 

“These  sites  are  just  spoon¬ 
feeding  criminals 
the  information  they 
need,”  said  BJ  Os- 
tergren,  a  Virginia 
resident  who  runs  a 
privacy-related  Web 
site  called  The  Vir¬ 
ginia  Watchdog. 

The  pieces  of  per¬ 
sonally  identifiable 
information  found  on  county 
Web  sites  and  made  avail¬ 
able  to  Computerworld  by 
Ostergren  and  other  privacy 
advocates  included  the  Social 
Personal  Data,  page  10 


ONLINE 

Go  to  our  Web 
site  to  read  full 
coverage  of  data 
breaches  and 
other  IT  security 
and  privacy 
issues: 

computerworld, 

com/security 


In  my  esti¬ 
mation,  ‘do 
nothing’  is 
not  a  good  solution 
because  it  leaves  the 
information  out  there 
for  public  viewing. 


BRUCE  HOGMAN,  IT  PROFES¬ 
SIONAL  AND  RESIDENT  OF 
BROWARD  COUNTY,  FLORIDA 


®  A  pending  state  law  requires 
Florida’s  counties  to  remove 
certain  types  of  personal  data 
from  all  online  records,  - 

■  For  now,  Broward  County  has 
an  ask-first  policy  on  blocking.  . 
sensitive  data  from  being  viewed 
on  the  Web. 

jMk,  Governments 

have  to  take  action  -  fast  -  to ", 
protect  people’s  data,  says  Don 
Tennant:  f 
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I  have  people  to  support  and  ideas  to  enable.  Look  out  world,  because  my  network  is  coming  through. 

Dynamic  Networking  from  AT&T  gives  Maya  the  IP  solutions  she  needs  to  connect  suppliers,  customers  :: 
and  employees  worldwide.  With  IP  VPNs,  Maya  has  a  cost-effective  networking  solution  that  allows  u 
to  collaborate  no  matter  where  they  are.  And  with  AT&T's  integrated  network  security,  Maya  knows 
can  expand  her  endpoints  without  any  increase  in  exposure. 
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The  new 


Sydney 


Singapore 


Global  companies  have  teams  everywhere. 

To  help  them  share  ideas,  Xerox  multifunction  systems 
and  software  put  everyone  on  the  same  playing  field. 

There’s  a  new  way  to  look  at  it. 


Running  a  global  company  requires  secure  worldwide 
information  sharing.  Luckily,  Xerox  has  a  solution  for 
everyone  on  your  team.  Using  Xerox  multifunction 
systems  and  Xerox  DocuSh are®  software,  documents 
can  be  securely  scanned  to  the  Web.  This  way  people 
throughout  your  global  network  can  share  them.  This 


xerox.com/offfice/team 

1-800- ASK-XEROX  ext.  753 


keeps  documents  current,  can  eliminate  warehousing 
needs  by  70%  and  can  reduce  order  fulfillment  time  by 
80%.  Whatever  Xerox  WorkCentre®  multifunction  system 
you  choose,  you’ll  reduce  costs  by  printing,  copying, 
scanning  and  faxing  from  one  convenient  network  device. 
Now  that’s  a  game  plan.  To  learn  more,  contact  us  today. 

XEROX. 

|  Technology  |  Document  Management  |  Consulting  Services  | 


200b  Xerox  Corporation  All  rights  reserved.  XEROX*  WorkCentre  ,®DocuShare*  and  There's  a  new  way  to  look  at  it®  are  trademarks  of  Xerox  Corporation  in  the  United  States  and/or  other  countries. 
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The  Business 
of  Security. 

Savvy  IT  leaders 
are  taking  a  more  business¬ 
like  approach  to  security. 
They’re  using  cost-benefit 
analyses,  dashboards  and 
data  classification  schemes 
to  match  investments  to 
the  biggest  risks.  Package 
starts  on  page  27. 

AO  Risk  Formula.  The  risk-based 
bU  security  model  directs  a 
company’s  spending  to  where 
damage  from  a  breach  would 
cause  the  most  financial  harm. 

Qfl  The  Big  Picture.  Security  dash- 
life  boards  cut  down  the  monitoring 
workload,  isolate  threats  earlier  and 
reduce  downtime  by  discovering 
configuration  errors. 

A 1  Avoiding  Spending  Fatigue.  No 

U*w  matter  how  much  money  you 
pour  into  security,  you’ll  always  find 
that  you  need  more.  Here’s  how  some 
CIOs  stoke  the  security  funding 
fires. 
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information  buried 
tured  data  sets. 


Top  Secret. 

I  MA  new  breed 
of  data-classifica- 
tion  tools  could 
help  set  policies 
and  access  con¬ 
trols  on  sensitive 
in  unruly,  unstruc- 


Beyond  Posters.  You  need  more 
than  catchy  slogans  to  get  your 
company’s  employees  to  take  security 
seriously.  Here  are  some  training  tips. 

«  Sorting  the  Standards.  Like  pieces 
of  a  puzzle,  frameworks  Cobit, 

ISO  27001,  ITIL  and  SAS  70  offer 
guidelines  for  improving  particular 
elements  of  security. 

Risk  Reducer.  Chief  risk 
*f  0  officers  act  as  the  linchpins  for 
enterprise  risk  management.  Accord¬ 
ing  to  Forrester  Research,  by  next  year, 
three  quarters  of  large,  critical-infra¬ 
structure  organizations  will  have  a 
CRO  or  equivalent  role. 

IQ  QuickStudy:  Computer  Forensics.  IT 

■  I  P  managers  aren’t  likely  to  confront 
dead  bodies  on  the  job,  but  a  rudimen¬ 
tary  knowledge  of  evidence  as  it  re¬ 
lates  to  computer  data  can  help  protect 
your  organization’s  operations,  data 
and  processes. 


M1 
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I  Little  Leaks. 

With  so 

much  on  the  line, 
many  CIOs  are 
enacting  tough 
security  policies 
for  their  employ¬ 
ees’  personal  memory  devices. 

i  No  Silver  Bullet.  Risk  is 
if  1  an  inherent  part  of  business,  says 
columnist  Mark  Hall.  The  biggest  se¬ 
curity  mistake  that  you  can  make  is  to 
take  the  one-way  approach. 
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The  following  stories  can  be  found  online  at  computerworld.com/thiswe6li. 


IT  Management  Survey 

Computerworld  polled  571  IT  professionals  about  their 
organizations'  security  practices.  View  the  results 
to  better  understand  how  your  peers  view  security 
technologies  and  management  issues,  ranging  from 
budgets  to  restrictions  on  portable  storage  media. 


Webcast 

Biometric  authentication  is  widely  regarded  as  the 
most  foolproof  of  authentication  systems.  This 
webcast  will  give  an  overview  of  biometrics  and 
some  of  the  key  issues  IT  professionals  should  be 
aware  of  when  evaluating  this  technology. 
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AT  DEADLINE 


Offshore  Boom 
Benefits  Infosys 

Infosys  Technologies  Ltd.,  riding 
a  boom  in  offshore  outsourcing, 
reported  that  its  revenue  had 
surpassed  S2  billion  for  its  fiscal 
year  ended  March  31.  Bangalore, 
India-based  Infosys  reported 
revenue  of  S2.15  billion  for  the 
year,  up  by  35%  over  revenue 
of  $1.6  billion  in  fiscal  2005. 
Profits  for  the  year  rose  32%, 
to  $555  million.  Infosys  has 
forecast  sales  growth  of  28% 
to  30%  in  fiscal  2007. 


CA  to  Buy  Software 
Vendor  for  $75M 

CA  Inc.  has  agreed  to  buy  Cyber- 
mation  Inc.,  a  maker  of  enterprise 
workload  automation  software, 
for  $75  million.  Islandia,  N.Y.- 
based  CA  said  it  will  add  Cyber- 
mation’s  tools  to  its  workload 
automation  offerings.  A  privately 
held  company  based  in  Markham, 
Ontario,  Cybermation  reported 
revenue  of  about  $30  million  in 
2005.  CA  expects  the  deal  to 
close  within  30  days. 

AMD’s  Q1  Revenue 
And  Profits  Improve 

Advanced  Micro  Devices  Inc.  re¬ 
ported  healthy  increases  in  sales 
and  profits  in  its  first  quarter, 
which  ended  March  26.  Strong 
demand  for  dual-core  processors 
led  to  record  sales  of  AMD’s  Op- 
teron  processor  in  the  quarter. 


|  REVENUE 

PROFIT/LOSS 

:  Qt  *06 

S1.33B 

S185M 

S1.23B 

($17M) 

DHL  Names  Former 
DM  Exec  as  CIO 

DHL  International  Ltd.  has  named 
Maryann  Goebel  CIO  of  DHL 
Express  for  the  Americas,  the 
Asia-Pacific  region  and  emerging 
markets/Latin  America.  Goebel, 
who  previously  was  CIO  at  Gen¬ 
era!  Motors  North  America,  will 
oversee  all  DHL  IT  initiatives  in 
those  regions.  Goebel  reports  to 
John  Mullen,  joint  chief  executive 
of  DHL  Express,  and  will  be  based 
at  DHL’s  U.S.  corporate  head¬ 
quarters  in  Plantation,  Fla. 


Lawson  Users  Aren’t 
Sure  About  Upgrading 


Next-generation 
apps  require  new 
IT  infrastructure 


BY  MARC  L.  SONGINI 

ORLANDO 

AWSON  SOFTWARE 
Inc.  users  last  week  ex¬ 
pressed  mixed  feelings 
about  upgrading  to  the 
company’s  next-generation 
Lawson  9  and  Landmark  appli¬ 
cations,  with  some  citing  fears 
that  the  migration  requires  ex¬ 
cessive  technology  changes. 

The  comments  from  users 
at  Lawson’s  Customer  and 
User  Exchange  2006  confer¬ 
ence  here  last  week  came  as 
the  company  unveiled  the  first 
piece  of  its  Landmark  ERP 
system. 

The  Landmark  Strategic 
Sourcing  application,  intro¬ 
duced  less  than  a  month  after 
Lawson  brought  out  Version 
9  of  its  application  suite,  aims 
to  improve  and  automate  the 
procurement  process. 

Lawson  officials  declined  to 
disclose  further  delivery  plans 
for  the  Landmark  line,  which 
will  succeed  Lawson  9. 

The  city  government  of 
Greensboro,  N.C.,  plans  to 
begin  using  the  new  Strategic 
Sourcing  software  this  fall, 
several  months  after  it  in¬ 
stalled  the  Lawson  9  financial 
and  human  resources  soft¬ 
ware.  The  city  was  an  early 
adopter  of  the  Lawson  9  appli¬ 
cations,  which  were  officially 
introduced  last  month. 

Chryste  Hover,  the  munic¬ 
ipality’s  director  of  ERP,  said 
the  decision  to  use  Lawson 
9  required  that  the  city  first 
install  the  IBM  WebSphere- 
based  Lawson  System  Founda¬ 
tion  9,  which  is  also  needed  to 
run  Landmark  applications. 

Hover  said  that  the  tech¬ 
nology  requirement  entailed 
some  work  for  the  city’s  IT 
operation,  since  it  had  to  swap 
out  its  Microsoft  Internet  In¬ 
formation  Service  Web  server 


for  WebSphere.  Greensboro 
also  had  to  upgrade  its  IBM 
AlX-based  pSeries  hardware 
and  Oracle  Corp.  database 
software  to  support  the  new 
system,  she  said. 

“You  need  to  be  on  the 
cutting-edge,  technologically, 
[to  upgrade  to  Lawson  9],” 
Hover  explained. 

The  technology  require¬ 
ments  are  causing  Wilsons 
The  Leather  Experts  Inc.  in 
Brooklyn  Park,  Minn.,  to  take 
“a  wait-and-see  attitude  with 
Lawson  9.0  and  Landmark,” 
said  Scott  Christian,  the 
retailer’s  director  of  business 
systems.  Wilson  is  upgrading 
from  Lawson  7  to  Lawson  8 
ERP  software. 

Christian  said  that  the 
technology  requirement  for 
upgrading  to  the  new  versions 


entails  “a  significant  change 
and  one  that  I’m  not  sure  will 
deliver  tangible  business  bene¬ 
fits  for  Wilsons  Leather  at  this 
time.  I  also  believe  there  is  a 
level  of  risk  involved  in  mak¬ 
ing  the  change  right  now  that 
we  are  not  willing  to  accept.” 

After  viewing  demonstra¬ 
tions  of  the  initial  Landmark 
offering  at  the  user  confer¬ 
ence,  Chuck  Kentfield,  senior 
software  engineer  for  human 
resources  at  Pacific  Life  Insur¬ 
ance  Co.  in  Newport  Beach, 
Calif.,  called  it  “a  solid  im¬ 
provement  in  technology.” 

Kentfield  said  he  expects 
to  migrate  from  Version  9  to 
Landmark  but  can’t  set  a  time¬ 
table  for  that  until  Lawson  dis¬ 
closes  its  delivery  plans. 

The  Strategic  Sourcing 
application  has  attracted  the 


interest  of  Sandi  Klos,  busi¬ 
ness  project  manager  for  ma¬ 
terials  management  at  Health- 
Partners  Medical  Group  and 
Clinics  in  St.  Paul,  Minn. 

The  health  services  pro¬ 
vider  currently  runs  Version 
8  of  Lawson’s  procurement, 
payroll  and  human  resources 
applications.  Klos  said  she  ex¬ 
pects  HealthPartners  to  install 
Lawson  System  Foundation  9 
by  2007. 

Predrag  Jakovljevic,  an 
analyst  at  Montreal-based  re¬ 
search  firm  Technology  Evalu¬ 
ation  Centers  Inc.,  said  user 
response  to  the  significant 
architectural  changes  that  are 
needed  to  use  Landmark  re¬ 
mains  unclear. 

Jakovljevic  said  the  Web¬ 
Sphere  requirement  might  not 
suit  customers  who  are  stan¬ 
dardized  around  Windows- 
based  products.  ► 


ACQUISITION  WORRIES 

Despite  Lawson's  planned  merger  with 
Intentia,  users  still  worry  that  the  former 
may  be  purchased  by  another  company. 

0  www.computerworld.com 


Lawson  CEO  Weighs  In  on  Landmark,  Intentia  Plans 


ORLANDO 

Harry  Debes,  president  and  CEO 
of  Lawson  Software,  has  overseen 
development  of  the  next-generation 
Landmark  application  set 
and  the  company’s  acquisi¬ 
tion  of  Danderyd,  Sweden- 
based  ERP  software  vendor 
Intentia  International  AB,  due 
to  close  this  month.  Debes 
spoke  about  the  acquisition, 

Lawson’s  technology  focus 
and  the  ERP  business  in  an 
interview  with  Computer- 
world  last  week. 

Has  the  agreement  to  buy  Intentia 
caused  any  of  your  customers  to 
have  doubts  about  the  future?  It's 
been  more  of  an  issue  for  Intentia 
customers  than  Lawson’s,  in  direct 
correlation  to  being  the  acquired 
company  versus  the  acquirer.  We’ve 
tried  to  be  consistent  and  send  a 
message  that  really  hasn't  changed 
over  the  last  12  months.  That  is, 
these  products  serve  different 
markets,  the  personnel  are  different, 
and  we  want  to  keep  them  both 
alive  and  have  continuity. 


Why  were  you  chosen  to  lead 
Lawson  at  the  same  time  the 
company  agreed  to  buy  Intentia? 

Think  about  the  Intentia  merger.  I 
had  done  a  lot  of  mergers 
and  acquisition  work  in  my 
previous  history.  I  had  also 
done  international  work. 
Before  joining  Lawson,  I 
spent  about  50%  of  my 
time  working  globally. 

Can  Lawson  stay  com¬ 
petitive  against  ERP 
giants  like  Oracle  and 
SAP?  You  can  be  smaller  and 
nimbler  and  find  segments  not  well 
served  by  the  giants. 

You  can  do  things  with  customers 
[that]  they'd  never  get  from  SAP. 

You  spend  time  with  smaller  firms 
face  to  face,  building  relationships. 
Our  whole  client  experience  isn’t 
just  a  bullet  on  a  PowerPoint  slide. 

We  plan  to  do  about  eight  or 
nine  verticals  and  get  really,  really 
good  at  those.  We  don’t  need  to  be 
in  a  150  countries.  We  don’t  want 
to  do  technology  or  middleware 
-  just  applications.  We’ll  surround 


that  software  with  a  whole  range  of 
value-added  services. 

What  is  the  status  of  Lawson’s 
new  Landmark  applications?  We 

kept  it  fairly  quiet  and  didn’t  offer  a 
lot  of  marketing  hype  around  Land¬ 
mark.  We  said  to  the  developers, 
“Let’s  get  real  and  make  this  happen.” 
The  good  news  is  [the  Landmark  de¬ 
velopers]  have  done  everything  we 
asked  them  and  more,  and  it’s  not 
necessary  to  be  that  cautious  now. 
We’re  not  scrapping  all  the  legacy 
code  we  have,  and  we  still  have  a 
lot  of  customers  using  our  existing 
core  systems,  and  we’ll  continue  en¬ 
hancing  them  as  we  bring  out  new 
modules  in  Landmark. 

Does  Lawson  plan  to  offer  hosted 
applications?  There’s  so  much  talk 
about  online  software,  and  I  scratch 
my  head  and  wonder  where  it’s 
coming  from.  I  rarely  get  questions 
by  customers  about  it.  However,  we 
are  going  to  offer  a  hosted  human- 
capital  management  service  by  mid¬ 
summer  and  see  what  happens. 

-  MARC  L.  SONGINI 
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Red  Hat  Again  Tries  to  Move  Beyond  OS  Level 


Planned  purchase  of  JBoss  gives  Linux 
vendor  new  hope  in  app  server  market 


BY  ERIC  LAI  AND 
HEATHER  HAVENSTEIN 

Red  Hat  Inc.’s  planned  acqui¬ 
sition  of  application  server 
vendor  JBoss  Inc.  is  its  third 
attempt  to  move  up  the  open- 
source  software  stack  in  a  big 
way.  And  it’s  hoping  that  this 
time  proves  to  be  the  charm. 

Red  Hat  has  had  limited  suc¬ 
cess  at  getting  users  to  adopt 
the  directory  server  software 
it  launched  last  June  and  a  Java- 
based  application  server  that  it 
released  in  2004.  But  some  IT 
managers  applauded  its  pro¬ 
posed  marriage  with  JBoss. 

“Of  all  the  potential  firms 
that  could  have  acquired  JBoss, 
we  feel  that  Red  Hat  —  being 
an  open-source  proponent 
—  is  a  good  match  for  us,”  said 
Barry  Strasnick,  CIO  at  Citi- 
Street  LLC,  a  Quincy,  Mass., 


company  that  manages  ben¬ 
efits  programs  for  companies 
and  government  agencies. 

CitiStreet,  which  formerly 
was  a  big  user  of  BEA  Systems 
Inc.’s  WebLogic  application 
server,  started  moving  to  the 
open-source  JBoss  technology 
two  years  ago.  Now  the  com¬ 
pany  uses  JBoss  on  top  of  Red 
Hat  Linux  to  support  all  of  its 
mission-critical  applications, 
Strasnick  said. 

Badri  Nittoor,  CEO  of  JBoss 
systems  integrator  Tripod 
Technologies  LLC  in  Cherry 
Hill,  N.J.,  said  the  acquisition 
will  move  Red  Hat  closer  to 
having  an  enterprise-class 
stack  of  open-source  software. 

But  he  added  that  it  remains 
to  be  seen  how  well  the  cul¬ 
tures  of  the  two  companies 
will  mesh,  since  JBoss  has 


more  control  over  the  source 
code  for  its  software  than  Red 
Hat  does  over  Linux. 

Raleigh,  N.C.-based  Red  Hat 
said  it  agreed  to  pay  at  least 
$350  million  in  cash  and  stock 
for  Atlanta-based  JBoss.  It 
added  that  the  price  tag  could 
rise  to  $420  million  if  JBoss 
meets  certain  financial  targets 
under  Red  Hat’s  ownership. 

Red  Hat  unveiled  its  Direc¬ 
tory  Server  software,  bought 
from  America  Online  Inc.’s 
Netscape  division,  at  its  first 
user  conference  last  spring. 

Stiff  Competition 

But  that  market  is  dominated 
by  Microsoft  Corp.’s  Active 
Directory,  followed  by  Novell 
Inc.’s  eDirectory  software,  said 
Sara  Radicati,  principal  ana¬ 
lyst  at  The  Radicati  Group  Inc. 
in  Palo  Alto,  Calif.  Red  Hat’s 
market  share  “is  very  small, 
let’s  put  it  that  way,”  she  said. 

Red  Hat  also  offers  an  ap¬ 


plication  server  based  on  the 
open-source  Jonas  technology 
developed  by  the  ObjectWeb 
Consortium  in  Montbonnot, 
France.  Red  Hat  CEO  Matthew 
Szulik  said  during  a  confer¬ 
ence  call  last  week  that  the 
company  has  made  “a  signifi¬ 
cant  investment  in  Jonas,  and 
we  expect  that  to  continue.” 

But  Laurent  Lachal,  an  ana- 


Acquisition  Plan 


■  Red  Hat  will  make  an  initial 
payment  of  $140  million  in 
cash  plus  stock  valued  at 
$210  million  to  buy  JBoss. 

■  JBoss  will  become  an  inde¬ 
pendent  division  of  Red  Hat 
after  the  deal  closes,  which  is 
expected  in  late  May. 

■  Marc  Fleury,  CEO  of  JBoss, 
will  continue  to  run  the  unit 
and  will  report  to  Red  Hat  CEO 
Matthew  Szulik. 


New  Mass.  CIO  Defends  Open  Document  Plan 


BY  CAROL  SLIWA 

Massachusetts  CIO  Louis  Guti¬ 
errez  said  last  week  that  he 
doesn’t  envision  “a  full- 
scale,  completed  imple¬ 
mentation”  of  the  state’s 
controversial  Open 
Document  Format  (ODF) 
policy  by  its  January 
2007  deadline.  But  in  his 
first  in-depth  interview 
since  Feb.  6,  when  he 
became  CIO  and  director 
of  the  state’s  Informa¬ 
tion  Technology  Division 
(ITD)for  the  second  time,  Guti¬ 
errez  told  Computerworld  that 
he  also  doesn’t  foresee  the  state 
taking  a  “wait  position”  with 
respect  to  the  ODF  policy,  which 
applies  to  the  government’s  ex¬ 
ecutive  branch.  A  status  update 
on  ODF  is  due  by  midyear,  he 
noted.  Excerpts  from  the  inter¬ 
view  follow: 

How  committed  are  you  to  the 
Enterprise  Technical  Reference 
Model  that  the  ITD  announced  in 
September  and  to  the  ODF  policy 
that’s  part  of  it?  One  of  the  rea¬ 


sons  that  I  was  glad  to  take  up 
the  assignment  to  come  back 
to  ITD  is  that  I  do  believe  in 
the  technical  reference 
model  objective,  and 
I  very  much  believe  in 
the  important  role  that 
the  [division]  has  in 
promoting  standards. 
I’m  proud  and  grateful 
to  promote  and  defend 
a  standard  like  this. 

Do  you  think  your  prede¬ 
cessors  made  a  sound  de¬ 
cision  with  respect  to  ODF?  I  do 

think  that  this  was  a  far-seeing 
and  very  thoughtful  objective, 
and  I  think  that’s  one  reason  it 
has  resonated  the  way  it  has.  It 
has  captured  the  essence  of  an 
important  notion  about  open¬ 
ness,  about  standards,  about 
the  way  documents  are  used 
and  will  be  used. 

I’ve  signed  up  to  do  the 
execution,  and  I  have  a  lot  of 
work  to  do  on  implementation 
planning  and  on  addressing 
concerns  of  accessibility  advo¬ 
cates.  But  I  do  think  this  is  the 


right  direction  to  be  going. 

Is  that  based  on  a  desire  not  to 
tie  up  documents  in  proprietary 
formats  for  the  long  haul?  I 

would  add  a  different  angle  on 
this.  In  the  world  of  govern¬ 
ment  work,  we  think  of  these 
documents  as  being  somehow 
memos  that  individuals  save 
to  disk,  and  somehow  we 
want  those  records  to  live  a 
long  time,  and  there  might  be 
a  long  thread  of  arguments 
around  that.  But  truly,  the  re¬ 
cords  management  topic  is  the 
prerogative  of  records  man¬ 
agement  people,  and  I  want 
to  focus  on  the  benefits  to  an 
executive  department  of  state 
government.  The  world  that 
we’re  entering  is  one  of  much 
more  workflow  of  structured 
documents  and  knowing  in 
great  detail  and  controlling 
your  document  formats.  Open- 
standard  document  formats 
are  absolutely  the  future  of 
where  things  are  heading. 

Microsoft  doesn’t  support  ODF 


and  has  raised  objections  about 
the  policy.  Have  you  been  try¬ 
ing  to  work  out  a  compromise? 

We’re  not  talking  about  a 
compromise  to  the  policy  if 
Microsoft  were  able  to  work 
with  ODF.  One  benefit  of  an 
open-standards  policy  is  to 
allow  much  greater  competi¬ 
tion  among  office  suites  on 
the  desktop.  And  furthermore, 
there  are  circumstances  where 
low-cost  and  open-source 
office  suites  are  the  right  solu¬ 
tion,  and  other  circumstances 
where  Microsoft  Office,  were 
it  to  comply  with  the  policy, 
would  be  appropriate  as  well. 

Have  you  been  trying  to  impress 
upon  Microsoft  the  need  for  an 
ODF  converter?  We’ve  been 
trying  to  impress  upon  them 
that  our  policy  is  not  an  anti- 
Microsoft  policy,  that  we 
would  be  very  interested  in 
ODF  converter  capabilities  for 
a  number  of  reasons.  It  sim¬ 
plifies  and  makes  less  costly 
some  of  the  implementation 
we  would  need  to  do.  And  it 
avoids  months  of  question 
marks  over  whether  Microsoft 
Office  products  will  ultimately 
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lyst  at  London-based  Ovum 
Ltd.,  said  Red  Hat  has  been 
disappointed  by  the  adoption 
of  Jonas  and  is  unlikely  to  de¬ 
vote  a  lot  of  resources  to  that 
technology  once  it  owns  JBoss. 

About  half  of  the  JBoss  user 
base  runs  the  application  serv¬ 
er  on  Windows.  That  could 
complicate  Red  Hat’s  market¬ 
ing  strategy,  said  Steve  Walli,  a 
vice  president  at  Optaros  Inc., 
an  open-source  consulting 
firm  in  Boston. 

On  the  other  hand,  Jason 
Long,  CEO  and  chief  software 
engineer  at  Supernova  Soft¬ 
ware  Inc.  in  Houston,  said  the 
JBoss  deal  might  motivate  him 
to  switch  his  company’s  in¬ 
ternal  applications  from  Win¬ 
dows  to  Red  Hat  Linux. 

“This  should  lower  that  bar¬ 
rier  and  make  it  a  more  attrac¬ 
tive  option,”  said  Long,  who  is 
also  founder  of  the  Houston 
JBoss  Users  Group.  * 


James  Niccolai  and  China  Mar¬ 
tens  of  the  IDG  News  Service 
contributed  to  this  story. 


qualify  under  the  policy. 

How  open  are  you  to  including 
Microsoft’s  Office  Open  XML 
file  format  as  part  of  the  policy, 
should  its  submission  to  Ecma 
International  become  a  standard? 
We  have  not  said  that  the 
policy  will  be  restricted  to 
only  one  standard  over  time. 
But  we  care  very  much  that 
our  policy  objectives  are 
met  by  whatever  standard  is 
looked  at. 

As  to  the  moves  that  Mi¬ 
crosoft  has  been  making 
with  regard  to  its  own  Open 
XML  format,  I  think  there 
has  been  progress.  The  move 
from  legacy  formats  to  XML 
formats,  improved  licens¬ 
ing  and  covenant  not-to-sue 
provisions  that  apply  to  these 
formats,  the  submission  of  the 
format  to  a  standards  body, 
the  incorporation  of  a  “save  to 
PDF”  —  these  truly  are  posi¬ 
tive  movements.  We  are  very 
encouraged  by  these  things, 
and  when  a  standardization 
process  is  complete,  we’ll  look 
forward  to  evaluating  the 
situation  to  see  if  it  meets  the 
policy  requirements.  * 
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Sun  High-End  Unit 
Cuts  200  Workers 

Sun  Microsystems  Inc.  has  laid 
off  about  200  people  from  its 
Scalable  Systems  Group.  The 
layoffs  represent  about  7%  of 
the  group’s  workforce.  Managers 
of  the  high-end  systems  division 
also  streamlined  the  group  by 
closing  open  requisitions,  re¬ 
allocating  resources  and  increas¬ 
ing  organizational  efficiency. 


Salesforce.com  Buys 
Wireless  Vendor 

Salesforce.com  Inc.  has  acquired 
wireless  technology  developer 
Sendia  Corp.  for  $15  million  in 
cash.  Salesforce.com  already 
uses  Sendia  technology  in  its 
AppExchange  Mobile  offering, 
which  allows  corporate  custom¬ 
ers  to  access  on-demand  ap¬ 
plications  using  handheld  com¬ 
puters  and  smart  phones.  Santa 
Monica,  Calif.-based  Sendia 
employs  35  workers. 


McAfee  Portal  Offers 
Virus  Information 

McAfee  Inc.  has  unveiled  a  new 
online  portal  called  McAfee 
Threat  center,  which  is  designed 
to  help  users  research  a  wide 
range  of  security  problems. 

The  portal  will  provide  updates 
on  viruses  along  with  informa¬ 
tion  from  the  company’s  Avert 
Labs  division  on  topics  such 
as  spam,  phishing  and  spyware. 
The  site  will  also  offer  free  tools, 
blogs  and  articles  from  McAfee 
security  experts. 


S2.65B  Settlement 
Of  AOL  Suit  OK’d 

A  judge  approved  a  $2.65  billion 
settlement  of  a  lawsuit  brought 
against  Time  Warner  Inc.  by 
shareholders  that  alleged  that 
America  Online  Inc.  improperly 
accounted  for  revenue  in  the 
years  preceding  and  following 
the  AOL-Time  Warner  merger. 
Judge  Shirley  Wohl  Kram  of  the 
U.S.  District  Court  in  New  York 
ruled  that  the  settlement  of  the 
class-action  lawsuit  is  fair,  rea¬ 
sonable  and  adequate.  A  Time 
Warner  spokeswoman  declined 
to  comment  on  the  settlement. 
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It’s  Time  for 
Real  Time . . . 


. . .  when  it  comes  time  to  analyze  customer  data.  There’s 
a  real-time  deluge  of  customer  information  inside  com¬ 
panies  today,  but  it’s  difficult  to  make  instant  decisions 
about  what  the  data  means.  William  Hobbib,  vice  presi¬ 
dent  of  marketing  at  Lexington,  Mass.-based  Stream- 


Base  Systems  Inc.,  thinks  that 
will  change  with  the  release 
this  week  of  his  company’s 
StreamBase  3.0  software.  He 
says  an  updated  StreamBase 
Optimizer  module  runs  que¬ 
ries  on  real-time  information 
three  times 
faster  than  the 
previous  re¬ 
lease  did.  CEO 
Barry  Morris 
explains  that 
StreamBase  ex¬ 
ecutes  its  real¬ 
time  queries 
on  “windows” 
of  streaming 
data  that  are  herded  into  re¬ 
lational  tables  in  RAM.  And 
given  that  StreamBase  is  a 
64-bit  app,  it  supports  a  lot 
of  memory  indeed.  If  a  query 
needs  histori¬ 
cal  informa¬ 
tion,  Stream- 
Base  can  yank 
it  from  a  disk 
and  put  it  into 
a  data  window. 
Pricing  starts 
at  $95,000. 

But  not  all 
analytical  data 


can  be  neatly  organized  in 
relational  tables.  That’s  why 
Intelligent  Results  Inc.  in  Bel¬ 
levue,  Wash.,  next  week  plans 
to  unveil  Predigy,  an  analytics 
software  tool  that  not  only 
dissects  structured  data  for 
business  intelligence  clues 
but  also  can  be  applied  to  un¬ 
structured  information  found 
in  e-mails,  Word  files  and 
other  documents.  CEO  Kelly 
Pennock  claims  that  because 
Predigy  can  sift  through  both 
kinds  of  data,  it’s  “better  at 
predicting  customer  behav¬ 
ior.”  Pricing  starts  at  $50,000. 

Don’t  write  out  your 
company’s  app . . . 

. . .  requirements  -  draw  them. 

Well,  sort  of.  Marc  Brown, 
senior  director  of  product 
marketing  at  Borland  Inc., 
says  the  Cupertino,  Calif.- 
based  company’s  new  Caliber 
DefinelT  software  lets  tech- 
savvy  business  analysts  “cre¬ 
ate  graphical  storyboards” 

—  basically  flow  charts  of 
their  software  specifications 
that  “fully  flesh  out  functional 
components.”  Brown  says  the 
tool’s  visual  nature  helps  end 


users  agree  more  quickly  on 
how  an  application  should 
work.  Caliber  DefinelT  costs 
$2,000  and  is  due  on  May  5. 


Open-source  subverts 
the  dominant . . . 

. . .  development  paradigm.  In  the 

future,  you  won’t  be  manag¬ 
ing  a  significant  software 
development  project  that 
doesn’t  involve  programmers 
strewn  about  the  planet.  So 
why  use  tools  that  were  de¬ 
signed  for  people  working 
side  by  side?  asks  Bill  Portelli, 
CEO  of  CollabNet  Inc.  in 
Brisbane,  Calif.  That’s  why 

his  firm  has 
become  the 


250k- 


Downloads 
of  Subversion 
per  CollabNet. 


primary 
sponsor  of 
Subversion, 
an  open- 
source 

version-control  tool  designed 
for  developers  working  togeth¬ 
er  over  the  Web.  This  week, 
CollabNet  unveils  its  Sub¬ 
version  On-Demand  service, 
which  adds  collaboration,  life- 
cycle  management  and  other 
features  on  a  subscription  ba¬ 
sis.  CollabNet  charges  $33,000 
per  year  for  50  development 
team  members. 


0n-demand  software 
can  be  pricey . . . 

. . .  compared  with  perpetual 
license  approaches.  “There’s 
a  little  bit  of  sticker  shock 
when  you  look  long  term,” 
says  Benjamin  Holtz,  CEO  of 
Green  Beacon  LLC  in  Water- 
town,  Mass.  For  example,  to 
get  “true  costs,”  he  suggests 
that  you  compare  on-demand 
software  with  licensed  appli¬ 
cations  over  a  period  of  three 
to  five  years.  The  licensed  ap¬ 
proach  wins  every  time,  Holtz 
claims.  Still,  his  company, 
which  customizes  packaged 
CRM  and  ERP  apps,  faces 
competitive  pressure  from 
the  likes  of  Salesforce.com 
Inc.  because  price  isn’t  the 
only  reason  users  like  the  on- 
demand  model.  Letting  some¬ 
one  else  manage  the  software 


is  another.  So  Green  Beacon 
has  devised  a  hosted  alterna¬ 
tive  for  CRM  users,  starting 
at  $6,000  per  month.  In  the 
fall,  Green  Beacon  will  offer 
ERP  software  in  a  hosted  en¬ 
vironment,  Holtz  says. 

Federal  foot-dragging 
on  data  privacy . . . 

. . .  legislation  hurts  businesses. 

Without  a  national  privacy 
protection  law  to  abide  by, 
U.S.  IT  vendors  are  at  a 
disadvantage  against  their 
European  and  Japanese  com¬ 
petitors.  That’s  the  assertion 
of  Phil  Dunkelberger,  CEO 
of  PGP  Corp.  in  Palo  Alto, 
Calif.  He  says  the  fragmented, 
state-driven  privacy  policies 
in  the  U.S.  give  pause  to  Eu¬ 
ropean  and  Japanese  govern¬ 
ments  and  businesses  that  are 
evaluating  U.S.  technologies 
and  services.  “They  wonder 
whether  our  government  is 
serious  about 
protecting 
private  infor¬ 
mation,”  Dun¬ 
kelberger  says. 
“The  percep¬ 
tion  is  that  here 
in  the  U.S.,  we 
are  not  diligent 
about  protect¬ 
ing  data.”  He 
adds  that  PGP, 
which  offers 
data  security  tools  to  IT  us¬ 
ers,  doesn’t  have  a  preference 
among  any  of  the  dozen  or 
so  privacy  bills  circulating  in 
Congress. 

“We  just  need  to  get  one 
to  the  floor  for  a  vote,”  says 
Dunkelberger,  who  testified 
this  month  on  the  urgency 
for  passing  such  legislation. 
But  congressional  staffers  tell 
him  that  any  privacy  bill  “is  a 
long  shot  for  2006,”  he  says. 
Election  year  and  all  that.  So 
when  your  representative  is 
campaigning  locally  instead 
of  doing  the  people’s  busi¬ 
ness  in  Washington,  give  him 
an  earful  about  the  need  for 
a  federal  data-privacy  bill 
—  now.  * 


You  could’ve 
hired  250  engineers, 
570  IT  support 

people,  5,235  interns, 
and  one  new  CIO 

with  the  amount  of  money  wasted  by 
non-AMD  powered  servers. 


How  long  have  you  been  putting  up  with  servers  that  waste  power  waste  money,  and  thanks  to  slow  performance  waste 
everyone’s  time?  Now  you  can  make  your  data  center  the  coolest  room  in  the  building  without  replacing  your  existing  ,  V 

,  /  v,«  {  K  '*5’' 

power  and  cooling  envelope.  AMD  Opteron™  processor-based  servers,  on  the  other  hand,  are  designed  to  run  efficiently, 
run  cool,  and  thanks  to  dual-core  technology  deliver  increased  performance.To  learn  more  about  maximum  performance, 
cost  savings,  and  the  power  of  cool  visit  www.amd.com/lessenergy  •  .  ■  ,  A 
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I  understand  people’s  con-  These  sites 

m  cerns,  but  a  lot  of  this  informa-  are  just  spoon- 

tion  has  been  freely  available  for  pub-  feeding  criminals  the 
lie  inspection  since  Plymouth  Rock.  information  they  need. 

CAROL  F0GELS0NG,  ASSISTANT  COMPTROLLER.  BJ  OSTERGREN,  PRIVACY 

ORANGE  COUNTY.  FLA.  ADVOCATE  IN  VIRGINIA 


Continued  from  page  1 

Personal  Data 

Security  number  of  Rep.  Tom 
Delay  (R-Texas)  on  a  tax  lien 
document;  the  Social  Secu¬ 
rity  numbers  of  Florida  Gov. 

Jeb  Bush  and  his  wife  on  a 
quitclaim  deed  from  1999;  the 
driver’s  license  numbers,  ve¬ 
hicle  registration  information, 
height,  race  and  addresses 
of  people  arrested  for  traffic 
violations;  the  names  and  birth 
dates  of  minors  from  divorce 
decrees;  and  complete  copies 
of  death  certificates. 

“All  of  this  information  is 
available  to  anyone  sitting  in 
a  cafe  in  Nigeria  or  anywhere 
else  in  the  world,”  said  David 
Bloys,  a  retired  private  investi¬ 
gator  who  publishes  a  newslet¬ 
ter  called  “News  for  County 
Officials”  in  Shallowater,  Texas. 
“It’s  a  real  security  threat.” 

Scope  of  Threat  Unknown 

It’s  hard  to  say  exactly  how 
many  of  the  3,600  county  gov¬ 
ernments  around  the  country 
are  posting  sensitive  data  on 
the  Web,  said  Mark  Monacelli, 
president  of  the  Property  Re¬ 
cords  Industry  Association,  a 
Durham,  N.C.-based  industry 
group  set  up  to  facilitate  the 
recording  of  and  access  to 
public  property  information. 

But  it’s  safe  to  assume  that 
a  large  number  of  them  are, 
said  Darity  Wesley,  CEO  of 
La  Mesa,  Calif.-based  Privacy 
Solutions  Inc.,  which  offers 
consulting  services  to  the  real 
estate  industry.  “I  think  a  lot  of 
[county]  recorders  have  been 
putting  public  land  records  on 
the  Internet  without  any  con¬ 
cern  about  who  has  access  to 
them,”  Wesley  said. 

Sue  Baldwin,  director  of  the 
Broward  County  Records  Di¬ 
vision  in  Florida,  said  all  of  the 
state’s  counties  are  subject  to 
a  law  requiring  them  to  main¬ 
tain  Web  sites  for  public  re¬ 
cords,  many  of  which  contain 
sensitive  data. 

A  new  Florida  statute  re¬ 
quires  counties  by  the  start  of 
next  year  to  black  out  Social 
Security,  bank  account,  and 
credit  and  debit  card  numbers 
from  document  images  that 
are  already  posted  online. 


Also  starting  on  Jan.  1,  county 
recorders  will  be  given  the  au¬ 
thority  to  black  out  the  same 
numbers  from  new  documents. 

For  now,  recorders  have  “no 
statutory  authority  to  automat¬ 
ically  remove”  such  informa¬ 
tion  from  documents,  Baldwin 
said.  She  added  that  Broward 
County  residents  who  want 
sensitive  data  immediately 
excised  from  public  records 
must  file  written  requests. 

Baldwin  and  Carol  Fogel- 
song,  the  assistant  comptroller 
for  Florida’s  Orange  County, 
both  downplayed  the  privacy 
and  security  issues  of  making 
full  images  of  records  avail¬ 
able  online,  noting  that  anyone 
can  view  the  actual  docu¬ 
ments  at  county  offices. 

“I  understand  people’s  con¬ 
cerns,  but  a  lot  of  this  informa¬ 
tion  has  been  freely  available  for 
public  inspection  since  Plym¬ 
outh  Rock,”  Fogelsong  said. 

“This  is  not  a  new  situation,” 
Baldwin  said,  pointing  out 
that  Broward  County  began 
posting  documents  online  in 
1999.  And  because  records 
have  been  publicly  available 
“since  the  beginning  of  time,” 
concerns  about  posting  them 
on  the  Internet  amount  to  “a 
tempest  in  a  teapot,”  she  said. 


Wesley  and  Monacelli 
acknowledged  that  the  avail¬ 
ability  of  personal  information 
online  raises  justifiable  pri¬ 
vacy  concerns.  But  those  wor¬ 
ries  need  to  be  tempered  by  an 
understanding  of  the  benefits, 
such  as  easier  access  to  land 
records,  they  said. 

“This  whole  topic  of  access 
to  information  is  an  issue 
that  we  as  a  nation  are  facing,” 
Monacelli  said.  “We  have  real 
estate  professionals,  title  com¬ 
panies,  attorneys  and  lenders 
who  need  this  information  for 
commerce  purposes.” 

There  is  also  little  evidence 
to  show  that  the  public  avail¬ 
ability  of  personal  informa¬ 
tion  on  government  sites  has 
contributed  to  an  increase 
in  identity  theft,  Wesley  said. 
For  most  identity  thieves,  the 
chore  of  sifting  through  mil¬ 
lions  of  public  records  for  use¬ 


ful  data  simply  isn’t  worth  the 
effort,  she  added. 

Instead  of  wrapping  “a  lot 
of  fear  and  sensationalism” 
around  the  issue,  Wesley  said, 
what  is  needed  is  an  informed 
discussion  among  legislators, 
privacy  advocates  and  busi¬ 
ness  representatives.  She  has 
organized  a  working  group, 
with  20  members  from  the 
private  and  public  sectors,  to 
create  model  legislation  gov¬ 
erning  the  redaction  of  Social 
Security  numbers  and  other 
personal  data  from  records. 

The  number  of  public  docu¬ 
ments  that  contain  sensitive 
information  may  be  far  lower 
than  people  assume,  according 
to  Fogelsong.  Orange  County 
is  using  an  outside  company  to 
inspect  about  30  million  pages 
dating  back  to  1970  for  the 
data  that  needs  to  be  removed 
under  Florida’s  new  statute 


(see  related  story,  below).  Fo¬ 
gelsong  said  that  119,000  of  the 
7  million  pages  inspected  thus 
far  have  needed  to  have  data 
hidden  from  view,  or  redacted. 

The  number  of  redacted 
pages  amounts  to  just  1.63% 
of  the  total  that  have  been 
inspected,  Fogelsong  noted. 
However,  she  added,  the  per¬ 
centage  is  expected  to  go  up  to 
about  5%  in  the  case  of  older 
documents  because  many 
more  of  them  are  likely  to  con¬ 
tain  sensitive  information. 

Baldwin  said  there  is  also 
less  sensitive  data  than  meets 
the  eye  on  Broward  County’s 
Web  site.  “Most  people’s  docu¬ 
ments  don’t  have  [that  kind  of] 
stuff  in  them,”  she  said. 

However,  critics  such  as 
Bloys  and  Ostergren  dismissed 
arguments  that  public  records 
have  long  been  available  in  pa- 
Continued  on  page  12 


Florida  Counties  Face  State 
Deadline  on  Hiding  Numbers 


LIKE  OTHER  counties  in  Florida,  Or¬ 
ange  County  is  scrambling  to  comply 
with  a  state  mandate  that  requires 
Social  Security,  bank  account,  and 
credit  and  debit  card  numbers  to  be 
removed  by  the  start  of  2007  from 
all  online  images  of  public  records. 

For  Orange  County,  it’s  an  enor¬ 
mous  task  that  involves  examining 
nearly  30  million  page  images  from 
records  dating  back  to  1970,  said 
Carol  Fogelsong,  the  county’s  assis¬ 
tant  comptroller. 

Instead  of  trying  to  do  the  work  it¬ 
self,  Orange  County  last  June  signed 
a  contract  with  Hart  InterCivic  Inc., 
an  Austin-based  provider  of  records 
management  services  for  county 
governments. 

Since  then,  the  county  has  down¬ 
loaded  onto  USB  drives  images  of 
about  25  million  pages  from  docu¬ 


ments  dated  through  April  30, 2005, 
and  shipped  them  to  Hart  for  inspec¬ 
tion  and  redaction. 

Hart  has  inspected  about  7  million 
pages  thus  far  and  found  information 
that  needed  to  be  redacted  on  about 
119,000  of  them,  Fogelsong  said. 

Pages  containing  redactions  are 
loaded  back  onto  USB  drives  and 
returned  to  Orange  County,  which 
then  replaces  the  original  image  with 
the  new  page.  Fogelsong  said  the 
original  images  aren’t  actually  deleted 
-  they’re  just  hidden  from  view. 

Despite  initial  concerns  about  the 
technology  challenges,  the  redaction 
process  has  been  going  better  than 
expected,  according  to  Fogelsong. 
She  said  Hart  is  using  specialized 
optical  character  recognition  (OCR) 
software  to  look  for  the  banned 
numbers  on  both  handwritten  and 


typed  pages.  The  pages  are  also  be¬ 
ing  manually  reviewed  to  ensure  that 
nothing  is  missed,  she  added. 

About  2  million  pages  are  now  be¬ 
ing  inspected  per  month,  Fogelsong 
said.  The  process  costs  the  county 
2.35  cents  per  page,  which  would 
add  up  to  a  tab  of  $705,000  for  the 
full  allotment  of  30  million  pages. 

Fogelsong  acknowledged  that 
even  after  the  work  is  completed, 
some  online  documents  will  likely 
still  display  information  that  is  sup¬ 
posed  to  be  hidden.  “I  will  not  be 
able  to  stop  everything,"  she  said. 
“But  I’m  doing  the  best  I  can.” 

Florida's  Broward  County  plans  to 
do  its  redaction  work  internally  using 
software  it  bought  from  Aptitude  So¬ 
lutions  Inc.  in  Casselberry,  Fla.,  said 
Sue  Baldwin,  director  of  the  Broward 
County  Records  Division. 

“I  don’t  know  how  long  the  actual 
process  will  take,”  she  said.  "But  we 
intend  to  comply  with  the  statutory  re¬ 
quirements,  including  [the]  deadline." 

According  to  Baldwin,  there  are 


“relatively  few  documents"  posted  on 
the  county’s  Web  site  that  include 
sensitive  information.  Nonetheless, 
she  said,  the  required  redaction  ef¬ 
fort  is  “a  massive  job.  We  can’t  do  it 
overnight.” 

Bruce  Hogman,  a  Broward  Coun¬ 
ty  resident  who  has  worked  as  an  IT 
professional  for  the  past  30  years, 
said  the  effectiveness  of  OCR  tools 
in  redaction  efforts  could  be  limited 
by  the  challenges  involved  in  pro¬ 
gramming  the  software  to  recognize 
specific  types  of  data  in  documents 
that  use  different  formats  and  are  of 
varying  quality. 

As  a  result,  the  redaction  of  sensi¬ 
tive  data  could  take  longer  than  ex¬ 
pected,  leaving  information  publicly 
available  for  the  next  several  months, 
Hogman  said.  He  also  noted  that 
because  much  of  the  information 
already  has  been  viewable  for  quite 
some  time,  it  is  questionable  how 
useful  redacting  the  data  will  be. 

-  JAIKUMAR  VIJAYAN 
ANDKENMINGIS 
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Redaction  Tools  Hunt  For, 
Hide  Personal  Information 


REDACTION  SOFTWARE  works  in 
much  the  same  way  that  antispam 
tools  do  -  by  using  algorithms  to 
look  for  specific  phrases  or  words. 
But  they  analyze  images,  not  e-mail. 

Some  vendors  use  multiple 
levels  of  automatic  analysis,  while 
others  narrow  down  the  number  of 
documents  likely  to  need  redaction 
and  then  rely  on  human  interven¬ 
tion  to  help  improve  the  software’s 
automatic  redaction  capabilities. 

"It’s  a  new  technology,  but  a 
proven  technology,”  said  Paul 
Miller,  president  of  Aptitude  Solu¬ 
tions  Inc.  in  Casselberry,  Fla.  Miller 
said  Aptitude’s  aiRedact  software 
looks  for  specific  numbers,  words 
or  combinations  of  related  words, 
such  as  “account  number”  or 
“Social  Security  number.” 

On  big  jobs  involving  millions 
of  document  images,  several 
thousand  pages  are  culled  and 
manually  analyzed  by  a  worker 
who  can  verify  that  data  should  be 


redacted,  Miller  said.  The  software 
then  automatically  adjusts  to  re¬ 
dact  the  remaining  records  based 
on  the  manual  choices.  It  typically 
costs  between  $200,000  and 
$300,000,  he  said. 

ImageTech  Systems  Inc.  in 
Camp  Hill,  Pa.,  has  built  a  plug-in 
redaction  module  for  Kofax  Ascent 
Capture,  a  tool  from  Kofax  Image 
Products  Inc.  in  Irvine,  Calif.,  that 
finds  data  in  documents  and  forms. 

R.J.  Oommen,  ImageTech’s 
principal,  said  the  plug-in  module 
uses  several  methods,  includ¬ 
ing  on-the-fly  input  from  users, 
automatic  processing  of  data  in 
standard  forms  and  an  intelligent 
algorithm.The  module  starts  at 
$5,000,  but  the  total  cost  can  ex¬ 
ceed  $100,000,  Oommen  said. 

Other  redaction  vendors  include 
SRS  Technologies’  Systems  Tech¬ 
nology  Group,  Appligent  Inc.  and 
Image  Architects  Inc. 

-  TODD  R.  WEISS 


BRIEFS 


Oracle  Buys  Billing 
Software  Vendor 

Oracle  Corp.  last  week  agreed 
to  buy  Portal  Software  Inc.,  a 
maker  of  billing  and  revenue 
management  software  for  the 
communications  industry,  for 
about  $220  million.  Oracle  ex¬ 
pects  the  transaction  to  close 
in  June  and  plans  to  integrate 
Portal’s  software  capabilities  into 
its  ERP  applications  and  the  CRM 
software  it  acquired  with  Siebel 
Systems  Inc.  Oracle  said  it  may 
use  Portal’s  software  for  other 
industries. 


Sun  Adds  Microsoft 
Link  to  Thin  Clients 

Sun  Microsystems  Inc.  has  rolled 
out  the  second  generation  of  its 
Sun  Ray  thin-client  devices  and 
software  with  added  links  to 
Windows  environments.  The  new 
offerings  also  include  smart-card 
slots  to  enable  “hot  desking,” 
which  allows  the  use  of  Java- 
based  cards  to  switch  devices 
on  the  fly,  starting  up  sessions 
where  they  left  off. 


NetApp  to  Expand 
Indian  Operations 

Network  Appliance  Inc.  plans  to 
expand  a  development  center  in 
Bangalore,  India,  that  builds  and 
supports  several  product  lines, 
including  its  NetCache  product. 
The  center  is  also  likely  to  run  the 
company’s  worldwide  information 
systems.  The  expansion  will  in¬ 
clude  a  new  180,000-square-foot 
facility  that  will  house  about  750 
engineers  over  the  next  two  years. 

IBM  Builds  Chip 
Encryption  Tool 

IBM  researchers  have  developed 
encryption  technology  that  can 
be  built  directly  info  a  micropro¬ 
cessor  to  help  lock  down  data 
in  mobile  phones,  PDAs,  digital 
media  players  and  other  devices. 
The  technology,  called  Secure 
Blue,  can  be  used  in  consumer 
electronics,  medical  and  govern¬ 
ment  applications,  and  digital 
media.  IBM  is  building  the  tech¬ 
nology  into  its  Power  processor. 
The  technology  will  also  work  in 
other  vendors’  processors. 
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Personal  Data 

per  form  as  specious. 

“The  simple  truth  is  these 
records  were  safe  in  the  court¬ 
house  for  160  years,”  Bloys 
said.  Now  all  it  takes  is  Inter¬ 
net  access  and  a  rudimentary 
idea  of  how  to  look  for  sensi¬ 
tive  data  to  find  all  sorts  of 
information,  he  added. 

Ostergren  claimed  that  sim¬ 
ply  by  “messing  around”  on 
county  Web  sites  over  the  past 
three  and  a  half  years,  she  has 
found  hundreds  of  thousands 
of  pages  containing  sensitive 
information.  She  has  printed 
out  more  than  17,000  records 
containing  people’s  Social 
Security  numbers,  the  maiden 
names  of  their  mothers  (often 
used  to  verify  identities)  and 
the  names  of  minors. 

Among  the  countless  nug¬ 
gets  that  Bloys  said  he  has 
found  online  was  the  complete 
medical  history  of  a  terminally 
ill  government  official  in  the 
Texas  county  of  Fort  Bend. 

Buying  Data  in  Bulk 

It  isn’t  always  necessary  to 
search  through  Web  sites, 
because  online  records  can 
often  be  purchased  in  bulk  for 
a  fraction  of  what  it  would  cost 
to  buy  them  at  a  courthouse, 
Bloys  said.  For  example,  he 
said,  officials  in  Fort  Bend 
County  last  year  sold  a  Florida 
company  online  copies  of  ev¬ 
ery  document  ever  filed  with 
the  county  clerk’s  office.  The 
cost  for  the  estimated  20  mil¬ 
lion  documents  was  about 
$2,500,  said  Bloys,  who  wrote 
an  article  about  the  transac¬ 
tion  in  his  newsletter. 

A  call  seeking  comment  on 
the  matter  from  the  Fort  Bend 
County  recorder’s  office  hadn’t 
been  returned  as  of  Computer- 
world’  s  publication  deadline. 

The  company  that  bought 
the  information  is  among  a 
large  number  of  businesses 

—  including  some  in  India, 
China  and  the  Philippines 

—  that  routinely  download 
records  directly  from  county 
Web  sites,  Bloys  claimed. 

Bruce  Hogman,  a  Broward 
County  county  resident  who 
recently  raised  concerns 


about  the  posting  of  person¬ 
ally  identifiable  information 
with  Baldwin’s  office,  said  real 
estate  professionals  and  other 
business  users  don’t  need  all 
of  the  information  included  in 
documents  posted  online. 

For  real  estate  transactions, 
Hogman  said,  “they  need 
nothing  more  than  the  names 
of  the  parties,  the  date  of  the 


SINCE  2002,  Broward  County’s 
Web  site  has  included  instructions 
on  how  to  request  the  removal  of 
protected  personal  information  from 
documents  posted  online,  said  Sue 
Baldwin,  director  of  the  Broward 
County  Records  Division. 

She  added  that  the  Florida  coun¬ 
ty  has  made  the  redaction-request 
instructions  more  visible  on  the  site 
in  response  to  the  concerns  about 
the  disclosure  of  personal  data 
raised  last  month  by  resident  and  IT 
professional  Bruce  Hogman. 

For  now,  according  to  Baldwin, 


transaction,  the  consideration, 
the  book  and  page  in  which 
the  data  is  recorded,  together 
with  the  legal  description 
— -  and  not  the  actual  image  of 
the  documents  themselves.” 

Ostergren  said  efforts  to 
stop  Virginia’s  Hanover  Coun¬ 
ty,  where  she  lives,  from  post¬ 
ing  images  of  public  records 
online  have  succeeded  so  far. 


that  is  all  she  is  empowered  to  do 
under  Florida’s  laws.  “Aside  from 
making  the  redaction-request  proc¬ 
ess  as  user-friendly  and  speedy  as 
possible,  I  do  not  have  the  indepen¬ 
dent  authority  to  take  any  additional 
action  regarding  removing  material 
from  the  public  records,"  she  said. 

Baldwin  said  that  citizens  who 
are  concerned  about  their  personal 
data  being  posted  online  should 
check  to  see  if  sensitive  information 
is  publicly  accessible  and  then  ask 
that  it  be  blacked  out. 

“People  have  to  assume  some  re- 
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But  14  of  the  state’s  121  cities 
and  counties  do  make  records 
available  online,  she  said,  add¬ 
ing  that  the  same  thing  is  be¬ 
ing  done  by  counties  in  states 
such  as  Pennsylvania,  North 
and  South  Carolina,  Ohio, 
Georgia,  Arizona,  Texas  and 
New  York.  That  includes  all 
five  boroughs  in  New  York 
City,  according  to  Ostergren. 

Fogelsong  noted  that  Or¬ 
ange  County  residents  who 
want  information  removed 
from  documents  can  request 
that  it  be  redacted  (see  related 
story,  below).  “I  would  love  if 
people  would  check  their  re¬ 
cords  on  their  own”  to  ensure 
that  no  private  data  is  publicly 
disclosed,  she  said. 

But  Ostergren  dismissed 
such  advice,  saying  Florida 
and  North  Carolina  are  cur¬ 
rently  the  only  states  that  al¬ 
low  residents  to  ask  for  their 
Social  Security  numbers  to  be 
removed  from  online  records 
that  were  already  posted. 

On  the  other  hand,  many 
states  have  given  county 
clerks  the  power  to  refuse  to 
record  new  documents  con¬ 
taining  personally  identifiable 
data,  Ostergren  said.  Overall, 
though,  “this  online  records 
mess  has  been  the  best-kept 
secret,”  she  added.  “Ninety- 
nine  percent  of  citizens 
haven’t  a  clue  that  the  records 
are  online  in  the  first  place.”  ► 


Computerworld’s  Ken  Mingis 
contributed  to  this  story. 

sponsibility,"  she  said.  “At  least  now, 
people  can  look  at  this  stuff  and 
say,  1  don’t  want  people  looking  at 
this,’  and  ask  [us]  to  take  it  off.  They 
should  regard  this  as  an  opportunity.” 

Hogman,  who  wants  online 
records  containing  sensitive  data 
taken  down  until  a  full  solution  is 
found,  said  he  has  tried  to  contact 
both  of  Florida’s  U.S.  senators  and 
some  state  legislators,  plus  the  FBI 
and  the  Federal  Trade  Commission. 

As  of  last  week,  Baldwin  was  the 
only  person  he  had  heard  back  from. 

“In  my  estimation,  'do  nothing’ 
is  not  a  good  solution  because  it 
leaves  the  information  out  there  for 
public  viewing,"  Hogman  said. 

-  JAIKUMAR  VIJAYAN 
AND  KEN  MINGIS 
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China  Pledges  to  Help 
Fight  Software  Piracy 

WASHINGTON 

URING  MEETINGS  with  U.S.  trade 
representatives  here  last  week, 
Chinese  government  officials 
committed  to  increasing  protections 
for  intellectual  property  in  their 
country. 

China  will  conduct  seven  special 
enforcement  operations  against  intel¬ 
lectual  property  pirates  this  year.  Vice 
Premier  Wu  Yi  said  at  a  press  confer¬ 
ence  after  talks  between  members  of 
the  U.S.-China  Joint  Commission  on 
Commerce  and  Trade.  The  Chinese 
government  will  open  infringement¬ 
reporting  centers  in  50  cities,  she  said. 

In  addition,  Wu  said  that  China  will 
accelerate  the  transfer  of  piracy  cases 
from  administrative  to  criminal  en¬ 
forcement  bodies.  That  would  address 
complaints  by  U.S.  software  vendors 
that  China  doesn’t  adequately  enforce 
its  intellectual  property  laws. 

The  talks  were  held  a  day  after  the 
Chinese  government  announced  that 
all  computers  sold  in  the  country  must 
now  include  a  preloaded,  licensed  op¬ 
erating  system. 

The  Washington-based  Business 
Software  Alliance  commended  the 
Chinese  government’s  move  to  man¬ 
date  preloaded  software. 

Framingham,  Mass.-based  market 
research  firm  IDC  estimates  that  90% 
of  the  software  used  in  China  during 
2004  was  unlicensed. 

■  GRANT  GROSS,  IDG  NEWS  SERVICE 


Two  Chinese  Vendors 
Sign  Windows  Deals 

LOS  ANGELES 

N  ADVANCE  of  the  Chinese  govern¬ 
ment’s  mandate  regarding  the  use 
of  licensed  operating  systems,  two 
computer  makers  in  China  promised 
to  distribute  only  licensed  versions  of 
Windows  under  new  agreements  with 
Microsoft  Corp. 

At  a  ceremony  here  on  April  7,  Mi¬ 
crosoft  signed  deals  with  Beijing-based 
Tsinghua  Tongfang  Co.  and  Huizhou- 
based  TCL  Corp.  Wu  Yi,  the  Chinese 
vice  premier,  attended  the  ceremony 
on  her  way  to  Washington  for  the  eco¬ 
nomic  and  trade  talks. 

John  Litten,  communications  man¬ 
ager  in  Microsoft’s  reseller  division, 
said  the  Chinese  manufacturers  also 


agreed  to  help  educate  end  users  about 
the  benefits  of  using  licensed  software, 
including  the  availability  of  vendor- 
provided  support. 

Under  its  deal,  Tsing¬ 
hua  Tongfang  has  agreed 
to  buy  $120  million  worth 
of  Windows  licenses  over 
three  years,  according  to  a 
statement  from  Chairman 
Rong  Yong  Lin.  TCL  has 
agreed  to  purchase 
$60  million  worth  of 
licenses  over  the  same 
period,  said  Yang  Wei- 
qiang,  a  group  vice  presi¬ 
dent  at  that  company. 

Microsoft  signed  a  similar  deal  last 
November  with  Lenovo  Group  Ltd. 

■  BEN  AMES,  SUMNER  LEMON  AND 
NANCY  WEIL,  IDG  NEWS  SERVICE 

Taiwan  President  Blasts 
Google,  Yahoo  on  China 

TAIPEI,  TAIWAN 

N  A  speech  commemorating  a  local 
human  rights  activist,  Taiwan  Presi¬ 
dent  Chen  Shui-bian  accused  Yahoo 
Inc.  and  Google  Inc.  of  compromising 
free  speech  in  China  to  boost  their  cor¬ 
porate  profits. 

Chen  called  on  the  Chinese  govern¬ 
ment  and  companies  such  as  Yahoo 
and  Google  “to  respect  democracy  and 
freedom,  because  it  is  the  correct  way 
to  ensure  continuous  future  develop¬ 
ment.”  Taiwan’s  president  used  an  an¬ 
nual  ceremony  for  activist  Cheng  Nan- 
jung  as  a  platform  for  his  contention 
that  countries  should  not  compromise 
free  speech  or  freedom  of  the  press. 

Neither  Google  nor  Yahoo  respond¬ 
ed  to  requests  for  comment. 

In  January,  Google  launched  a 
censored  version  of  its  search  engine 
in  China,  while  Yahoo  has  faced  criti¬ 
cism  for  providing  Chinese  police  with 
e-mail  messages  that  helped  put  a  jour¬ 
nalist  in  jail  for  10  years. 

■  DAN  NYSTEDT,  IDG  NEWS  SERVICE 


Australian  State  Signs 
Health  Care  IT  Pacts 

MELBOURNE,  AUSTRALIA 

HE  DEPARTMENT  of  Human 
Services  in  the  Australian  state 
of  Victoria  has  awarded  health 
care  software  vendor  Cerner  Corp.  a 
contract  to  implement  new  clinical 
applications  for  all  of  the  state’s  public- 


sector  health  providers. 

The  contract  with  North  Kansas 
City,  Mo.-based  Cerner  is  part  of  the 
agency’s  HealthSmart  program,  a  four- 
year  initiative  valued  at  $323  million 
Australian  ($236  million  U.S.). 

HealthSmart  contracts  have  also 
been  awarded  to  TrakHealth  Pty.  in 
Sydney,  Australia,  for  a 
client  management  sys¬ 
tem;  iSoft  Group  PLC  in 
Manchester,  England, 
for  an  integrated  patient 
records  system;  and 
Frontier  Software  Pty.  in 
Melbourne  for  a  human 
resources  system. 

In  addition,  Oracle 
Corp.  won  a  contract  to 
provide  financial  and  sup¬ 
ply  management  software 
to  the  Victoria  Depart¬ 
ment  of  Human  Services. 

All  of  Victoria’s  HealthSmart  tech¬ 
nology  is  expected  to  be  in  place  by 
next  year. 

■  MICHAEL  CRAWFORD, 

C0MPUTERW0RLD  TODAY 


Ethernet  Service  Links 
Hong  Kong  to  Beijing 

HONG  KONG 

UTCHISON  GLOBAL  Communica¬ 
tions  (HGC)  Holdings  Ltd.  has 
launched  an  Ethernet  service 
that  connects  Hong  Kong  with  Beijing 
and  China’s  Guangdong  province,  in 
an  attempt  to  meet  growing  corporate 
demand  for  networking  connections 
between  Hong  Kong  and  mainland 
China. 

HGC,  a  unit  of  Hong  Kong-based 
Hutchison  Telecommunications  In¬ 
ternational  Ltd.,  said  the  need  for 
cross-border  networking  capabilities 
has  been  increasing  since  China  joined 
the  World  Trade  Organization  and 
signed  the  Closer  Economic  Partner¬ 
ship  Agreement  with  Hong  Kong.  The 
CEPA  is  designed  to  improve  economic 
ties  between  Hong  Kong  and  the  rest 
of  China. 

The  Ethernet  service  will  be  offered 
through  an  expanded  partnership  be¬ 
tween  HGC  and  Beijing-based  China 
Telecommunications  Corp.  HGC  said 
the  service  eliminates  the  need  for 
companies  to  reconfigure  their  net¬ 
works  or  install  specialized  equipment. 

The  link  also  lets  users  adjust  the 
speed  of  their  network  connections 
from  a  minimum  of  2Mbit/sec.  to  more 
than  45Mbit/sec.,  according  to  HGC.  ► 

■  SUMNER  LEMON,  IDG  NEWS  SERVICE 
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Percentage  of  Europe’s 
online  population  of 
82  million  people  that 
used  instant  messaging 
applications  in  February. 


Briefly  Noted 

VeriFone  Holdings  Inc.  has  agreed 
to  buy  rival  point-of-sale  terminal 
maker  Lipman  Electronic  Engineer¬ 
ing  Ltd.  in  Rosh  Haayin,  Israel,  for 
about  $793  million  in  cash  and 
stock.  San  Jose-based  VeriFone 
said  Lipman  will  help  it  gain  ac¬ 
cess  to  more  wireless  and  IP-based 
payment  technologies.  VeriFone 
expects  to  complete  the  deal  by  the 
end  of  October. 

■  PETER  SAYER,  IDG  NEWS  SERVICE 


Sony  Corp.  and  Samsung  Electron¬ 
ics  Co.  have  agreed  to  jointly  build 
a  $2  billion  facility  in  Tangjeong, 
South  Korea,  for  manufacturing  LCD 
panels.  The  deal  expands  S-LCD 
Corp.,  a  joint  venture  between  Sony 
and  Samsung  that  operates  an  LCD 
production  line. 

■  MARTYN  WILLIAMS, 

IDG  NEWS  SERVICE 


Comverse  Inc.  in  Wakefield,  Mass., 
has  agreed  to  acquire  Netcentrex 
SA,  a  vendor  of  voice-over-IP  soft¬ 
ware  in  Paris.  Comverse  will  pay 
about  $164  million,  plus  another 
$16  million  if  Netcentrex  meets 
certain  financial  performance 
goals.  Netcentrex  generated  about 
$50  million  in  revenue  last  year,  said 
Comverse,  which  sells  software  that 
supports  network-based  communi¬ 
cation  and  billing  services. 

■  GRANT  GROSS, 

IDG  NEWSSERVICE 


Unilever  NV  has  awarded  Accenture 
Ltd.  a  seven-year  contract  to  pro¬ 
vide  application  development,  imple¬ 
mentation  and  support  services  to 
its  European  operations.  The  deal 
expands  on  an  earlier  pact  under 
which  Hamilton,  Bermuda-based 
Accenture  provides  consulting  and 
IT  services  to  Rotterdam,  Nether¬ 
lands-based  Unilever. 


China  United  Telecommunica¬ 
tions  Corp.,  the  second-largest 
mobile  network  operator  in  China, 
has  introduced  a  push  e-mail  ser¬ 
vice  called  RedBerry  -  a  name  that 
echoes  Research  In  Motion  Ltd.’s 
(RIM)  popular  BlackBerry  service. 
RIM  is  in  talks  with  China  Unicorn’s 
main  rival,  China  Mobile  Communi¬ 
cations  Corp.,  about  launching  the 
BlackBerry  service  in  China.  RIM  of¬ 
ficials  didn’t  comment  on  the  brand 
name  chosen  by  Hong  Kong-based 
China  Unicom. 

■  SUMNER  LEMON, 

IDG  NEWS  SERVICE 
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EMC  Extends  On-site  Services  Offerings 


BY  SHARON  FISHER  AND 
SHELLY  SOLHEIM 

EMC  Corp.  last  week  extended 
its  professional  services  arm 
with  the  unveiling  of  an  on¬ 
site  support  program  to  help 
IT  officials  manage  large  stor¬ 
age  environments. 

In  addition,  the  company 
today  is  set  to  bring  out  an 
entry-level  disk  backup  system 
designed  for  small  and  mid¬ 
size  businesses,  along  with 
updates  to  the  full  Clariion 
Disk  Library  line. 

The  EMC  Managed  Services 
offering  is  geared  for  busi¬ 
nesses  that  require  multiyear, 
on-site  management  of  storage 
environments  with  more  than 
100TB  of  capacity.  Under  the 
program,  EMC  employees  are 
dedicated  to  a  site  and  provide 


support  based  on  service-level 
agreements. 

Thomas  Schiller,  general 
manager  of  IT  at  Toyota  Mo- 
torsport  GmbH  in  Cologne, 
Germany,  an  early  user  of  the 
service,  said  that  it  has  en¬ 
abled  his  company  to  focus  IT 
resources  on  its  core  business. 

With  six  to  eight  EMC  work¬ 
ers  on-site,  Toyota  Motorsport, 
which  handles  the  design, 
manufacturing  and  operations 
for  the  Toyota  Formula  1  pro¬ 
gram,  doesn’t  “need  to  have 
[its]  own  dedicated  resources,” 
Schiller  said. 

Previously,  the  company 
used  its  own  IT  staff,  along 
with  EMC  employees,  for 
short-term  engagements,  he 
said.  Schiller  would  not 
disclose  how  much  EMC  is 


paid  for  the  service. 

EMC  said  American  Express 
Co.  has  also  signed  a  multiyear 
contract  for  the  new  services. 

A  spokeswoman  for  New 
York-based  American  Express 
said  the  company  hopes  the 
program  can  increase  its  flex¬ 
ibility  and  improve  its  cost 
structure  for  data  storage. 

The  new  entry-level  disk 
backup  system,  the  Clariion 
DL210,  has  a  capacity  of  be¬ 
tween  4TB  and  24TB. 

It’s  a  Small  World 

“An  entry-level  box  for  a 
smaller  enterprise  is  a  very 
good  idea,”  said  John  Halamka, 
CIO  at  Harvard  Medical 
School  and  CareGroup  Health¬ 
care  System  in  Boston. 

Halamka  said  he’s  not  yet 


familiar  with  the  new  low-end 
product,  but  said  he  expects  it 
to  offer  the  reliability  he  finds 
on  the  high-end  EMC  backup 
systems  at  the  medical  school. 

Meanwhile,  The  Black  & 
Decker  Corp.  in  Towson,  Md., 
plans  to  evaluate  the  new  low- 
end  model  for  its  remote  sites, 
said  Ian  McLeavy,  manager 
of  global  engineering  storage. 
The  company  already  uses 
EMC’s  700  series  of  high-end 
Clariion  disk  backup  systems, 
he  said. 

EMC  will  also  announce 
today  that  the  full  Clariion 
line  of  tape  drives  will  now 
support  the  IBM  iSeries  plat¬ 
form  and  EMC’s  NetWorker 
7.3  backup  and  recovery  soft¬ 
ware,  which  EMC  gained  in  its 
acquisition  of  Legato  Systems 
Inc.  more  than  two  years  ago. 

This  latest  announcement 
shows  that  EMC  is  paying 


New  Product 


The  EMC  Clariion  BL21Q 
disk-based  backup  system 

®  Uses  5006B  Serial  ATA 
disk  drives 

*  Has  up  to  24TB  capacity 

s  Supports  IBM  iSeries 
systems 

*  Supports  EMC  NetWorker 
backup  and  recovery  software 

*  Is  priced  starting  at  $50,000 

« Is  shipping  now 

attention  to  user  complaints 
that  the  company’s  various  ac¬ 
quisitions  have  not  been  well 
integrated,  said  John  Webster, 
an  analyst  at  Data  Mobility 
Group  LLC  in  Nashua,  N.H.  » 


Solheim  is  a  reporter  for  the 
IDG  News  Service. 
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TD  Ameritrade  Encryption 
Project  Is  Nearly  Complete 


CIO  says  work  at  TD  Waterhouse 
sites  should  be  finished  this  month 


BY  LUCAS  MEARIAN 

Ameritrade  Holding  Corp.  late 
last  year  finished  rolling  out 
technology  to  encrypt  corporate 
data  as  it  moves  from  servers  to 
backup  devices,  just  before  its 
acquisition  ofTD  Waterhouse 
Group  Inc.  closed  in  January. 
Jerry  Bartlett,  CIO  of  the  com¬ 
bined  firm,  called  TD  Ameri¬ 
trade  Holding  Corp.,  talked 
about  extending  the  encryption 
technology  to  TD  Waterhouse 
sites  and  other  issues  at  the  re¬ 
cent  Storage  Networking  World 
conference. 

Have  you  rolled  out  the  Decru 
encryption  technology  throughout 
the  combined  company?  We 

completed  it  in  the  November 
and  December  time  frame  for 


the  Ameritrade  facilities.  And 
we’re  completing  it  for  the 
combined  TD  Ameritrade  this 
month. 

Was  the  process  of  installing 
encryption  technology  difficult? 

The  difficulty  was  around 
deciding  what  we  were  going 
to  do  and  how  we  were  go¬ 
ing  to  do  it  —  not  around  the 
implementation  itself.  Once 
we  realized  that  we  needed 
to  execute  like  it’s  any  other 
infrastructure  project,  we  as¬ 
signed  a  project  manager  with 
a  plan  coordinating  our  infra¬ 
structure  teams. 

How  many  Decru  encryption  ap¬ 
pliances  have  been  deployed? 

About  a  dozen. 


Do  you  have  any  concerns 
about  unencrypting  data  for 
restoration  in  the  future?  Not 
really.  We’re  comfortable  with 
the  backward-compatibility 
commitments.  We  would  be 
concerned  if  the  encryption  al¬ 
gorithm  were  changed. 

How  long  did  it  take  to 
deploy  the  appliances?  It 

took  us  to  do  the  legacy 
Ameritrade  less  than  six 
months.  It  took  us  less 
than  three  months  to 
do  the  TD  Waterhouse 
side. 

How  much  data  do  you  en¬ 
crypt?  In  the  neighborhood  of 
30TB  per  week,  including  full 
and  incremental  backups. 

How  have  the  regulators  reacted 
to  the  decision  to  encrypt  your 


data?  The  feedback  we’ve  re¬ 
ceived  is  that  they’re  thrilled 
about  it.  So  we’re  thrilled 
about  that. 

What  other  types  of  storage  chal¬ 
lenges  is  your  company  facing? 

It’s  this  whole  idea  of  a 
formal  and  automated 
approach  to  informa¬ 
tion  life-cycle  manage¬ 
ment.  We  have  very 
well-understood  reten¬ 
tion  rules,  but  it’s  too 
manual. 

As  we  acquire  compa¬ 
nies  and  the  obligations 
of  those  firms  become 
our  obligations  —  client 
data,  client  e-mails  —  that’s 
probably  one  of  the  biggest 
hurdles  we  have  to  address. 
We’re  just  starting  to  put  to¬ 
gether  a  strategy  to  address 
it.  I  think  we  have  a  good  ap¬ 


proach  to  rationalizing  stor¬ 
age  around  our  applications, 
which  is  important. 

What  is  your  take  on  the  upcom¬ 
ing  Storage  Networking  Industry 
Association  standard  to  allow 

migration  of  data  across  tiers  of 
storage?  My  fundamental  view 
is  we  are,  and  ought  to  be, 
vendor-agnostic.  My  team’s  a 
big  believer  in  standards  —  in 
this  case,  standard  interfaces 
and  the  ability  for  a  hetero¬ 
geneous  group  of  vendors  to 
be  able  to  be  utilized  across 
the  whole  data  life  cycle,  I 
think,  is  the  right  direction. 

Does  that  mean  the  company, 
now  mostly  an  EMC  shop,  will 
look  at  technology  from  other 

vendors?  Right  now,  we’re  an 
EMC  shop,  so  as  we  do  merg¬ 
ers  and  acquisitions,  we  stick 
with  EMC.  It  doesn’t  mean  we 
won’t  continue  to  look  at  ven¬ 
dors  whose  offerings  become 
potentially  higher  in  quality, 
availability  and  resiliency  at 
competitive  cost  points.  A  fun¬ 
damental  tenet  is  [that]  we’re 
vendor-agnostic.  * 


New  Processes  Speed 
Chain’s  Salon  Openings 


BY  HEATHER  HAVENSTEIN 

Great  Clips  Inc.  is  about  a 
year  away  from  wrapping  up 
a  four-year  effort  to  overhaul 
and  automate  its  business  proc¬ 
esses.  Officials  say  the  project 
is  a  key  reason  why  the  com¬ 
pany  has  already  been  able  to 
increase  new  store  openings 
from  200  per  year  to  300. 

The  Minneapolis-based 
chain  of  2,500  hair  salons 
completed  the  first  phase 
of  the  $1  million  project  in 
July  2005  by  automating  and 
streamlining  what  had  been  a 
120-step  process  for  opening  a 
new  salon. 

This  July,  Great  Clips  IT 
developers  will  begin  work  on 
overhauling  the  business  pro¬ 
cedures  used  by  managers  to 
work  with  franchisees  and  ex¬ 
isting  salons.  And  at  the  begin¬ 
ning  of  next  year,  the  company 
plans  to  launch  the  last  phase 
of  the  project:  re-engineering 


its  contract  management  and 
communication  processes. 

The  full  project  is  slated  to 
be  completed  in  mid-2007. 

“In  our  previous  state,  it  was 
hard  for  management  to  be 
able  to  see  the  performance 
of  the  business  processes 
—  to  see  into  it  and  measure 
it,”  said  Jim  Waldo,  vice  presi¬ 
dent  of  IT  at  Great  Clips.  The 
company  decided  to  automate 
its  processes  to  give  execu¬ 
tives  the  visibility  they  need 
to  manage  them  more  proac¬ 
tively,  he  said. 

That  decision  came  after  an 
internal  analysis  in  2003  de¬ 
termined  that  the  company’s 
procedures  were  preventing  it 
from  meeting  growth  plans. 

The  internal  study  found, 
among  other  things,  that 
people  in  various  steps  in  the 
process  —  such  as  internal 
employees,  real  estate  agents 
and  contract  managers  —  had 


to  spend  significant  time 
searching  for  information  be¬ 
fore  handing  it  off  to  the  next 
person  in  the  chain. 

Great  Clips  officials  decided 
to  automate  its  processes  us¬ 
ing  Metastorm  Inc.’s  eWork 
business  process  management 
(BPM)  suite  and  Interwoven 
Inc.’s  MailSite  Document 
Management  suite.  Meta¬ 
storm’s  BPM  suite  is  designed 
to  support  design,  integration 
and  deployment  of  new  inter¬ 
nal  procedures  while  integrat¬ 
ing  them  into  existing  applica¬ 
tions  and  systems. 

For  the  first  phase  of  the 
project,  from  July  2004  to  July 


2005,  Great  Clips  developers 
used  the  Metastorm  tool  to 
automate  and  streamline  the 
course  of  action  for  opening  a 
new  salon.  Prior  to  completing 
the  first  phase,  the  120-step 
process  included  eight  special¬ 
ized  roles  and  50  users. 

Automation  let  Great  Clips 
eliminate  20  of  those  steps. 
The  most  important  result, 
Waldo  said,  was  eliminating 
the  steps  that  required  people 
to  wait  for  “days  up  to  two 
weeks  for  information  that 
was  already  in  the  building.” 

The  project  required  signifi¬ 
cant  effort  from  Great  Clips 
developers  working  with  the 


third-party  tools,  Waldo  noted. 

For  instance,  he  said,  the 
learning  curve  for  Metastorm 
tools  was  steep.  To  make  sure 
all  the  developers  gained  pro¬ 
ficiency  in  the  product,  the 
company  required  that  its 
entire  development  team  first 
attend  training  as  a  group  and 
then  immediately  begin  work 
on  a  pilot  project  with  limited 
scope  and  integration. 

In  addition,  the  developers 
had  to  make  sure  Interwoven’s 
MailSite  product  —  which 
captures  and  stores  content 
directly  from  Microsoft  Out¬ 
look  —  was  tightly  integrated 
with  the  desktop  information 
manager. 

Dennis  Byron,  an  analyst 
at  IDC  in  Framingham,  Mass., 
said  the  ideal  application  of 
BPM  tools  is  making  com¬ 
munications  with  internal 
and  external  users  —  such  as 
business  partners  or  suppliers 
—  easier.  In  addition,  he  noted 
that  overhauling  and  automat¬ 
ing  business  processes  isn’t 
trivial.* 


Timeline:  A  Business  Automation  Project 


FALL  2003:  Performed  JULY  2006:  Beain  work  on  automatina  Drocesses 

process  analysis. 

_ 1 

for  working  with  franchiseesand  existing  salons. 

2003 

2004  »  2005  • 

2006  ■  2007 

T  T 

T  T 

JULY  2004-JULY  2005: 
Automated  and  scaled 
back  120-step  process  for 
opening  new  salons. 

JANUARY  2Q07-JUNE  2007: 

Begin  work  on  automating 
contract  management  and 
communication  processes. 

The  Adaptive  Network 


Designed  to  1  ICyv 
in  completely  new  ways 


ProCurve’s  strength  is  our  flexibility.  Our  Adaptive  EDGE  Architecture1** 
distributes  intelligence  from  the  core  to  the  edge,  enabling  secure, 
mobile  and  converged  networks  that  adapt  rapidly  and  cost-effectively 
to  your  changing  business  needs.  Add  to  the  equation  our  leading 
position  in  defining  industry  standards,  our  lifetime  product  warranty* 
and  our  25  years  of  innovation,  and  you  have  a  sound  case  for  making 
ProCurve  the  foundation  of  your  network. 


To  find  out  how  ProCurve  Networking  by  HP  can  improve  your  network, 
go  to  www.hp.com/leam/procurve3  or  call  (800)  975-7684,  Ref.  Code  Leam3, 


ProCurve  Networking 

HP  Innovation  , 


•Lifetime  warranty  applies  to  all  ProCurve  products,  excluding  the  9300m  and  9400sl 
series  routing  switches.  8100fl  series  interconnect  fabric  switches  and  Secure 
Access  700wl  Series,  which  have  a  one-year  warranty  with  extensions  available. 
©  2006  Hewlett-Packard  Development  Company,  l.R  Photo:  Alan  Karchmer. 
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The  Mandate  to 
Improve  IT 

There  is  a  peculiar  irony  that  characterizes  IT  in  organizations  today. 

On  the  one  hand,  IT  is  most  definitely  at  the  vanguard  of  both  cus¬ 
tomer  service  and  service  to  internal  constituents.  On  the  other  hand, 
IT  is  still  looked  upon  in  many  companies  not  as  a  provider  of  busi¬ 


ness  value,  but  as  a  cost  center. 

To  counter  this  perception  and  give  IT  a 
seat  at  the  corporate  strategy  table,  lead¬ 
ing  organizations  are  discovering  there  is 
real  and  definable  business  value  to 
improving  IT  service.  By  doing  so,  IT  man¬ 
agement  can  define  and  then  efficiently 
deliver  business-critical  IT  services  at  their 
point  of  maximum  effectiveness,  support¬ 
ing  business  goals  and  cementing  IT’s  role 
as  an  enabler.  In  other  words,  improved 
service  is  key  to  unleashing  IT’s  tremen¬ 
dous  potential  energy  and  giving  a  busi¬ 
ness  what  it  really  wants,  namely  a  com¬ 
petitive  differentiator  and  competitive 
advantage. 

Improving  service  is  not  simply  a  cool 
idea  for  gaining  respect.  The  real  driver  is 
the  business  environment  itself,  where  the 
only  constant  is  constant  change  brought 
about  by  forces  like  regulations,  mergers, 
shifting  customer  demands,  and  internal 
financial  requirements.  A  service-driven 
IT  organization  that  is  process-oriented 
and  focused  on  business  requirements 
actually  leads  the  business  in  responding 
quickly  and  decisively  to  these  changes 
and  upheavals.  That's  a  far  cry  from  an 
IT  organization  regarded  as  a  financial 
black  hole. 

How  to  get  therefrom  here 

With  so  much  to  gain  by  improving  serv¬ 
ice,  a  common  question  for  IT  managers 
is,  “What's  the  best  approach  for  doing 
so?”  The  answer  is  for  IT  to  make  continu¬ 
ous  improvements  to  service  management 
and  service  availability. 

Service  management  improvements 
effectively  enable  companies  to  control 


change  and  resolve  issues  using  a  set  of 
industry  best  practices  based  on  long¬ 
standing  IT  Infrastructure  Library  (ITIL) 
standards.  With  improved  service  manage¬ 
ment,  a  business  can  better  integrate 
processes  that  are  far-flung  and  fragment¬ 
ed,  thereby  providing  far  greater  visibility 
into  key  financial  and  operational  metrics. 
For  business,  this  is  a  big  win. 

For  example,  CA  Service  Management 
from  CA  provides  a  business  interface  to 
IT  services  by  way  of  a  service  catalog  to 
calculate  the  complete  costs  of  service 
delivery  while  assuring  that  desired  service 
levels  can  actually  be  reliably  delivered. 

The  service  catalog  can  offer  variable  costs 
for  different  service  levels,  in  terms  that 
line-of-business  managers  can  easily  com¬ 
prehend.  This  solution  can  also  ensure 
that  required  software  is  deployed  in 
accordance  with  license  requirements. 

Improving  service  availability,  mean¬ 
while,  optimizes  the  reliability,  perform¬ 
ance,  and  security  of  the  IT  environment 
to  deliver  services  in  support  of  the  busi¬ 
ness  with  a  high  level  of  automation.  The 
best  service  availability  solution  is  one  that 
can  effectively  tune  the  IT  infrastructure  to 
keep  vital  business  services  online  and 
accurate. 

That  means  finding  a  solution  that  mon¬ 
itors  and  manages  all  infrastructure  com¬ 
ponents  in  reai  time.  Moreover,  when  the 
solution  identifies  problems,  it  has  to  cor¬ 
rect  them  immediately  while  learning  intu¬ 
itively  from  historical  problem  resolution 
to  then  manage  more  proactively  in  the 
future.  These  are  the  tenets  upon  which 
CA  built  its  CA  Service  Availability  solution, 


Releasing  a  wave  of 
measurable  business  value 


Service 


which  also  maps  IT  components  to  the 
business  services  they  support. 

Big  benefits  from  improving  service 

Concerted  efforts  to  boost  IT  service  have 
been  shown  to  pay  handsome  dividends. 
By  one  estimate,  companies  with  best 
practices  in  place  for  a  streamlined,  well- 
managed  environment  can  reduce  total 
cost  of  IT  ownership  by  nearly  one-third. 

Beyond  gaining  pure  efficiencies,  com¬ 
panies  that  invest  in  solutions  to  improve 
services  gain  previously  hidden  insights 
into  applications,  systems,  and  networks, 
which  in  turn  become  far  more  proactive 
to  change  in  anticipation  of  problems.  So 
systems  are  not  merely  available,  but  they 
are  also  finely  tuned  to  deliver  consistently 
high-quality  information  on  demand. 

Improving  services  can  markedly 
increase  the  ability  of  a  business  to 
respond  to  ever-present  change,  much  of 
which  is  unforeseen.  When  IT  can  respond 
quickly  to  such  change,  the  rest  of  the 
business  is  encouraged  to  pursue  continu¬ 
ous,  incremental  process  improvement. 
And  this  leads  to  the  business  holy  grail  of 
lower  costs,  faster  cycle  time,  and  superior 
bottom-line  results. 


STABILITY 


If  there's  one  constant  in  business  today,  it's  change. 
But  large  or  small,  internal  or  external,  change 
doesn't  have  to  impede  IT  service  delivery.  Think  of 
change  as  an  opportunity  for  IT  to  satisfy  fluctuating 
demand  while  maintaining  a  stable,  productive  work 
environment.  With  integrated  CA  software  solutions 
for  service  management  and  service  availability,  you 
can  unify  and  simplify  the  way  you  manage  complex 
IT  services  across  the  enterprise.  Anticipate  and 
prioritize  shifting  demand.  Automate  processes  to 
ensure  timely  delivery  and  reliability  of  service.  And 
leverage  industry  best  practices  such  as  ITIL.  It's  all 
possible  with  our  unique  approach  to  managing 
technology  called  Enterprise  IT  Management  (EITM). 
To  learn  more  about  how  CA  solutions  can  stabilize 
change  to  create  a  true  service-driven  IT 
environment,  visit  ca.com/deliver. 
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Misuse  of  Insurer’s  Data 
Points  to  Inside  Threats 


Users  cite  need  for  tools  that  can  help 
monitor  traffic  on  corporate  networks 


BY  JAIKUMAR  VIJAYAN 

An  incident  in 

which  an  employee 
at  Progressive  Ca¬ 
sualty  Insurance  Co. 
wrongfully  accessed  informa¬ 
tion  about  foreclosure  proper¬ 
ties  she  was  interested  in  buy¬ 
ing  highlights  the  IT  security 
dangers  posed  by  corporate 
insiders  —  and  the  need  for 
tools  that  can  help  guard 
against  misuse  of  data. 

Progressive  officials  con¬ 
firmed  this  month  that  the 
Mayfield  Village,  Ohio-based 
company  notified  13  people  in 
January  that  personal  informa¬ 
tion  —  including  their  names, 
Social  Security  numbers,  birth 
dates  and  property  addresses 
—  had  been  accessed  by  an  un¬ 
authorized  employee  who  has 
since  been  fired. 

Michael  O’Connor,  a  spokes¬ 
man  for  Progressive,  said  the 
company  was  alerted  to  the 
situation  when  a  woman  in 
Ohio  complained  about  receiv¬ 
ing  calls  from  an  agent  inquir¬ 
ing  about  her  house  being  un¬ 
der  foreclosure.  The  employee 
“wrongly  used  the  information 
in  a  real  estate  database,” 
O’Connor  said.  He  noted  that 
although  no  hacking  was  done 
to  get  at  the  data,  the  agent’s 
actions  constituted  a  violation 
of  Progressive’s  code  of  ethics. 

“We  investigated  the  situa¬ 
tion,  the  employee  was  termi¬ 
nated,  and  we  alerted  the  peo¬ 
ple  whose  data  was  accessed,” 
he  said,  adding  that  the  matter 
was  resolved  in  January. 

Malice  and  Accident 

Such  incidents  underscore 
the  threats  posed  to  corporate 
data  by  malicious  insiders  and 
by  workers  who  accidentally 
leak  sensitive  information, 
said  Phil  Neray,  a  vice  presi¬ 
dent  at  database  security  tools 
vendor  Guardium  Inc. 

“Most  companies  have  done 
a  good  job  with  perimeter  se¬ 


curity,”  Neray  said.  But  now 
there’s  a  growing  need  for 
tools  that  can  help  users  moni¬ 
tor  and  audit  all  activity  inside 
their  networks,  databases  and 
applications,  he  added. 

For  instance,  Sirva  Inc.,  a 
Westmont,  Ill.-based  provider 
of  relocation  services,  is  using 
an  appliance  from  Mountain 
View,  Calif. -based  Reconnex 
Corp.  to  help  keep  tabs  on  its 


intellectual  property  and 
other  sensitive  data  while 
it  goes  through  a  series  of 
divestitures. 

“One  of  the  things  that  hap¬ 
pens  after  a  divestiture  is  that 
people  take  the  stuff  they  are 
working  on  to  their  new  com¬ 
panies,”  said  Chuck  Shmayel, 
vice  president  of  infrastruc¬ 
ture  and  security  at  Sirva. 

The  Reconnex  appliance  sits 
at  the  network-egress  points 
in  each  of  Sirva’s  four  data 
centers  and  monitors  traf¬ 
fic  to  ensure  that  confidential 


information  doesn’t  exit  the 
company’s  networks,  either  by 
accident  or  design. 

It  isn’t  just  Sirva’s  own  data 
that  is  at  stake.  “As  a  reloca¬ 
tion  service,  we  handle  a  lot 
of  confidential  information  on 
behalf  of  our  customers,  and 
we  want  to  make  sure  it’s  pro¬ 
tected,”  Shmayel  said. 

Monitoring  the  data  that  is 
flowing  out  of  networks  can  go 
a  long  way  toward  mitigating 
accidental  as  well  as  deliberate 
leaks,  said  Mark  Moroses,  se¬ 
nior  director  of  technical  ser¬ 
vices  at  Maimonides  Medical 
Center  in  Brooklyn,  N.Y. 

Under  the  Health  Insurance 
Portability  and  Accountability 
Act,  Maimonides  is  required  to 
have  controls  for  securing  pro- 


A  patient  is  not 
going  to  come 
to  our  hospital  if  they 
think  we  are  not  doing 
everything  to  protect 
their  information. 

MARK  MOROSES,  SENIOR 
DIRECTOR  OF  TECHNICAL  SERVICES, 
MAIMONIDES  MEDICAL  CENTER 

tected  health  information.  The 
hospital  is  using  Reconnex’s 
appliance  to  detect  if  such  data 
is  leaving  its  networks  in  an 
unauthorized  way. 

“A  patient  is  not  going  to 
come  to  our  hospital  if  they 
think  we  are  not  doing  every¬ 
thing  to  protect  their  informa¬ 
tion,”  Moroses  said.  ► 


Microsoft  Finally  Issues  Patch  for  Exploited  Browser  Bug 


Vendor  says  that 
monthly  schedule 
avoids  disruption 

BY  ROBERT  McMILLAN 

Microsoft  Corp.  last  week 
released  its  security  software 
patches  for  April,  including 
one  to  address  an  unpatched 
bug  in  the  Internet  Explorer 
browser  that  hackers  had  been 
exploiting  for  several  weeks. 

As  expected,  the  company 
released  five  patches  address¬ 
ing  critical  vulnerabilities  in 
IE  and  the  Windows  operat¬ 
ing  system.  Microsoft  also 
released  fixes  for  Outlook 
Express,  Windows  FrontPage 
Server  Extensions  and  Share- 
Point  Team  Services  2002. 

The  list  of  patches  for  IE 
includes  a  fix  for  the  vul¬ 
nerability  that  hackers  had 
exploited  by  tricking  users 
into  visiting  sites  that  took 
advantage  of  the  bug  and  then 
conning  them  into  download¬ 
ing  unauthorized  software  on 
their  PCs. 

The  problem  was  serious 
enough  that  security  vendors 
eEye  Digital  Security  in  Aliso 
Viejo,  Calif.,  and  Determina 
Inc.  in  Redwood  City,  Calif., 
created  patches  to  address  it. 
Last  week,  eEye  reported  more 
than  156,000  downloads  of  its 
software. 

Isabel  Maldonado,  a  LAN 


administrator  in  the  attorney’s 
office  of  Maricopa  County, 
Ariz.,  followed  Microsoft’s  ad¬ 
vice  to  IE  users  to  avoid  hack¬ 
ers  by  disabling  Active  Script¬ 
ing  on  the  1,100  workstations 
she  administers. 

After  disabling  the  software, 
Maldonado  said  her  Phoenix- 
based  staff  fielded  about  100 
support  calls  over  a  two-week 
period. 

Microsoft  has  said  that  it 
tends  to  avoid  releasing  early 
patches  —  even  when  they 
relate  to  bugs  that  hackers  are 
already  exploiting  —  because 
customers  find  the  regular 
monthly  patch  releases  far  less 
disruptive. 


But  Maldonado  said  she 
would  have  been  happy  to 
have  the  IE  problem  patched 
earlier.  “I  would  have  much 
rather  they’d  rushed  out  a 
patch,”  she  said.  “I  can’t  think 
of  a  customer  that  would  say, 
‘Oh  no,  don’t  send  me  the  patch 
right  now,’  if  there’s  a  zero-day 
alert.” 

Though  he  does  not  expect 
a  major  malware  outbreak 
following  the  release  of  the 
patches,  Jonathan  Bitle,  a 
product  manager  at  security 
software  vendor  Qualys  Inc.  in 
Redwood  Shores,  Calif.,  said 
that  hackers  are  likely  to  take 
advantage  of  some  of  the  new 
vulnerabilities. 


“With  so  many  issues  ad¬ 
dressed  by  these  patches  . . . 
we  expect  that  we  might  see 
some  aftershocks,”  he  said. 
“These  issues  could  easily  be 
exploited  leveraging  the  na¬ 
ivete  of  inexperienced  users.” 

Microsoft  also  released 
patches  for  a  similarly  critical 
vulnerability  in  the  way  Win¬ 
dows  Explorer  handles  Com¬ 
ponent  Object  Model  objects 
and  for  a  vulnerability  in 
an  ActiveX  control  called 
RDS.Dataspace,  which  is  dis¬ 
tributed  with  the  Microsoft 
Data  Access  Components. » 

McMillan  writes  for  the 
IDG  News  Service. 


Oracle  Posts  Exploit  Code  for  Database  Raw 


ORACLE  CORP.  appears  to  have 
accidentally  released  details  about 
an  unpatched  security  vulnerability 
in  its  database  software,  including 
sample  code  for  exploiting  the  flaw. 

The  information  about  the  vul¬ 
nerability  was  included  in  a  note 
that  was  briefly  posted  on  Oracle’s 
MetaLink  customer  support  portal 
on  April  6. 

Oracle  removed  the  information 
the  next  day  after  being  informed 
of  the  security  risks,  said  Alexander 
Kornbrust,  a  business  director  at 
Red-Database-Security  GmbH  in 


Neunkirchen,  Germany. 

Kornbrust  distributed  an  advisory 
about  the  vulnerability  to  the  Full 
Disclosure  security  mailing  list  last 
Monday.  The  security  researcher 
said  he  decided  to  go  public  with 
the  information  about  the  vulner¬ 
ability  because  enough  people  had 
already  seen  Oracle’s  Metalink 
note  to  pose  a  risk  for  users  of  the 
database. 

An  Oracle  spokeswoman  de¬ 
clined  to  comment  about  how  the 
exploit  code  was  released.  She 
said  the  company  plans  to  provide 


a  software  fix  for  the  database  hole 
“in  a  future  quarterly  patch  update," 
although  it  won’t  be  in  the  next  set 
of  security  patches  that  Oracle  plans 
to  release  tomorrow. 

To  exploit  the  vulnerability,  an 
attacker  would  first  need  to  have  a 
user  account  on  an  Oracle  database. 
By  creating  specially  crafted  queries, 
users  who  normally  would  only  be 
able  to  read  data  could  change 
the  underlying  information  in  a 
database. 

-ROBERT  McMILLAN, 
IDG  NEWS  SERVICE 
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Sybase  Updates  SQL  Anywhere  Database 


BY  ERIC  LAI 

The  iAnywhere  Solutions 
Inc.  unit  of  Sybase  Inc.  today 
starts  shipping  a  beta  release 
of  Version  10  of  its  SQL  Any¬ 
where  embeddable  database, 
which  promises  improved 
performance  and  new  backup 
features. 

The  SQL  Anywhere  beta 
comes  nearly  three  years  af¬ 
ter  SQL  Anywhere  9  became 
available,  said  Breck  Carter,  a 
database  consultant  at  Rising- 
Road  Professional  Services  in 
Toronto  and  author  of  a  SQL 
Anywhere  manual. 

The  typical  gap  between  re¬ 
leases  of  the  database  has  been 
18  months,  he  said. 

Uno  Money  Transfers  runs 
SQL  Anywhere  as  its  corpo¬ 
rate  database  on  Microsoft 
Corp.’s  Windows  Server  2003 
operating  system.  SQL  Any¬ 
where  manages  the  Miami- 
based  financial  services  firm’s 
40GB  database,  which  handles 
all  of  its  international  money 
transfers,  according  to  Luiz 
Paulo,  vice  president  of  tech¬ 
nology  at  the  company. 

Paulo  said  he  plans  to  up¬ 
grade  to  the  new  version  to 
use  its  new  data-mirroring 
capabilities  for  safe  backups 
and  for  its  intraquery  parallel¬ 
computing  feature,  which  will 
speed  transactions  on  Uno’s 
four-way  Xeon  server. 


beds  SQL  Anywhere  8  in  its 
QuickBooks  2006  accounting 
software,  expects  to  use  the 
revised  database  in  a  future 


version  of  its  software,  said 
Tim  Child,  director  of  engi¬ 
neering  at  Intuit. 

Child  said  he  is  impressed 


with  Version  10’s  database- 
encryption  feature  and  its 
snapshot-isolation  feature, 
which  he  says  allows  for  high¬ 
speed  reporting. 

The  beta  of  SQL  Anywhere 
10  runs  on  Windows  and 


Motion 

Computing 


World’s  smallest, 
most  compact  Tablet  I 

Motion  Computing's  LS800  Tablet  PC  is  a  true  breakthrough  in  size  and 
performance.  Weighing  only  2.2  pounds  and  about  the  size  of  a  paperback, 
the  powerful  LS800  features  Intel®  Centrino®  Mobile  Technology  for 
exceptional  mobile  performance  and  productivity.  Experience  the 
versatility  and  mobility  of  the  Motion™  LS800  pre-installed  with 
Microsoft®  Windows®  XP  Tablet  PC  Edition  2005.  Don't  let  its 
small  size  fool  you,  the  LS800  Tablet  PC  gives  you  all  the 
advantages  of  a  full-strength  operating  system  and  is 
tough  enough  to  go  just  about  anywhere. 

The  Motion  LS800  is  the  first  to  give  you  full  desktop  functionality 
in  an  ultra-mobile  slate  Tablet  PC  -  it's  the  only  PC  you'll  need. 

Motion  recommends 

Microsoft®  Windows®  XP  Tablet  PC  Edition. 
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New  Features 

The  new  version  of  the  data¬ 
base  also  adds  encryption 
capabilities,  support  for  mate¬ 
rialized  views  for  faster  access, 
new  performance-analysis 
tools  for  developers  and 
the  ability  to  split  up  large 
queries  among  multiple  proc¬ 
essors,  said  Chris  Kleiseth, 
iAnywhere’s  senior  director  of 
engineering. 

Version  10  also  adds  integra¬ 
tion  with  Microsoft’s  Visual 
Studio  .Net  2.0  environment 
and  support  for  the  Symbian 
operating  system,  Kleiseth 
said. 

SQL  Anywhere  has  so  far 
been  deployed  10  million 
times,  according  to  Dublin, 
Calif.-based  Sybase. 

Intuit  Inc.,  which  em- 


Linux.  Sybase  plans  to  ship 
a  final  version  for  those  two 
operating  systems  in  the  third 
quarter.  Final  versions  for  So¬ 
laris  and  the  Macintosh  will 
ship  in  the  following  quarter, 
said  Kleiseth. » 
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Debate  Over  Costs,  Benefits 
Of  Certification  Is  Unsettled 


Initials  can  provide  opportunity,  more 
pay  but  can’t  guarantee  competence 


BY  LAMONT  WOOD 

T’S  NOT  hard  to  write  the 
initials  after  the  name  of  a 
networking  professional: 
CCIE  for  Cisco  Certified 
Internetwork  Expert,  or  CNE 
for  Certified  Novell  Engineer, 
among  dozens  of  others. 

The  initials  mean  that 
someone  is  a  certified  pro¬ 
fessional  for  a  specific  task 
or  product.  But  before  going 
through  the  process  of  earning 
such  a  certification,  a  network¬ 
ing  professional  should  deter¬ 
mine  whether  those  initials 
are  worth  the  effort  necessary 
to  acquire  them. 

“It’s  a  tough  question,”  said 
Robert  Rosen,  president  of 
Share,  the  IBM  mainframe 
user  group,  and  CIO  of  the 
National  Institute  of  Arthritis 
and  Musculoskeletal  and  Skin 
Diseases  in  Bethesda,  Md.  “But 
I  know  a  lot  of  people  who  use 
them  as  a  gating  factor  [when 
hiring],  so  if  you  want  to 
maximize  your  opportunities, 
they’re  a  good  thing  to  have.” 

“It  certainly  is  worthwhile,” 
said  Matthew  Cody,  a  con¬ 
vergence  engineer  at  Verizon 
Communications  Inc.’s  offices 
in  Maplewood,  N.J. 

Four  years  ago,  Cody  began 
a  quest  to  acquire  four  differ¬ 
ent  Cisco  Systems  Inc.  certi¬ 
fications  to  gain  specialized 
skills.  The  effort  eventually 
led  to  a  new  job  with  a  10%  pay 
increase,  he  said. 

The  downside  of  certifica¬ 
tion,  Rosen  said,  is  that  it 
doesn’t  guarantee  competence. 

“I  have  seen  people  with 
great  paper  certifications  who 
could  not  troubleshoot  their 
way  out  of  a  paper  bag,”  Rosen 
said.  “Some  are  great  test- 
takers,  but  they  can’t  apply 
it.  The  certificate  shows  they 
have  made  some  effort  to  learn 
the  technology,  but  the  key  to 
hiring  is  what  they  have  done 


with  it.  Can  they  address  real- 
world  problems?” 

Bureaucrats  love  certificates, 
Rosen  said,  because  it  gives 
them  a  box  to  check  off,  “but 
that’s  not  doing  due  diligence. 
You  have  to  ask  things  like, 
‘Tell  me  about  a  really  interest¬ 
ing  problem  you  solved  and 
how  you  solved  it.’  ” 

“It  would  be  foolish  to  hire 
someone  just  based  on  certi¬ 
fication,  since  you  also  have 
to  make  sure  they  know  what 
they  are  doing,”  Cody  noted. 
“It’s  possible  to  have  a  good  ca¬ 
reer  without  certifications,  but 
certifications  make  it  easier  to 
get  in  the  door.” 

David  Foote,  president  of 
Foote  Partners  LLC,  a  human 
resources  research  firm  in 


One  of  several 
efforts  by  states 
to  cut  IT  costs 

BY  PATRICK  THIBODEAU 

The  state  of  Texas  is  seeking 
proposals  from  outsourcers  to 
consolidate  31  data  centers  that 
run  16  mainframes  and  7,000 
servers  and  employ  more  than 
500  people.  The  move  is  part 
of  an  effort  to  cut  costs  and 
eliminate  duplication. 

Earlier  this  month,  Texas 
issued  a  request  for  proposals, 
which  are  due  by  the  end  of 
May.  The  state  plans  to  select 
a  vendor  for  the  project  by 
year’s  end,  said  Leslie  Mueller, 
assistant  director  for  customer 
services  at  the  Texas  Depart¬ 
ment  of  Information  Resourc¬ 
es  in  Austin. 

The  state’s  IT  oversight 
agency  believes  that  Texas 
“can  get  tremendous  value” 
from  such  a  project  by  elimi¬ 
nating  duplications  in  its  infra- 


New  Canaan,  Conn.,  said  his 
latest  IT  compensation  survey, 
released  last  month,  found  that 
networking  certification  result¬ 
ed  in  an  average  pay  premium 
of  9.1%  in  the  first  quarter  of 
2006.  The  average  premium 
for  all  certifications  is  8.2%. 

Certifications  can  offer  ben¬ 
efits  to  organizations  as  well 
as  individuals,  added  Cushing 
Anderson,  an  analyst  at  IDC. 

IDC  surveys  have  found 
that,  compared  with  a  having  a 
staff  that  has  no  formal  train¬ 
ing,  having  a  staff  that  holds 
certifications  should  increase 
an  organization’s  ability  to 
resolve  networking  failures 
by  20%  to  40%  and  reduce  the 
number  of  unexpected  outages 
by  10%,  Anderson  said. 

Also,  “people  see  [the  offer¬ 
ing  of  certification  classes  by 
employers]  as  a  benefit  and  are 
more  loyal,”  he  noted. 


structure,  said  Mueller.  Anal¬ 
ysis  determined  that  annual 
data-center  operating  costs  in 
Texas  total  about  $107  million. 

The  state  legislature  man¬ 
dated  the  consolidation  in  a 
measure  approved  last  sum¬ 
mer.  The  agency  hasn’t  yet  de¬ 
cided  how  many  data  centers 
will  remain  after  the  consoli¬ 
dation  is  completed. 

Consolidation  Trend 

Texas  is  hardly  alone  among 
state  governments  in  planning 
a  consolidation  project,  but  its 
initiative  is  one  of  the  largest. 

For  example,  a  survey  of  34 
states,  including  Maryland, 
Massachusetts  and  New  Jersey, 
by  the  National  Association  of 
State  Chief  Information  Of¬ 
ficers  (NASCIO),  shows  a  solid 
push  at  the  state  level  toward 
data-center  consolidation. 

The  survey  also  found  that 
many  states  are  considering 
moving  to  shared-services 
delivery  in  an  effort  to  cut 


Anderson  did  note  that  the 
certification  process  can  be 
time-consuming  and  costly. 

Classroom  training  pro¬ 
grams  can  take  10  to  12  days 
at  a  cost  of  $500  to  $1,000  per 
day  and  are  often  funded  by 
the  student’s  employer,  he  said. 
Online  and  self-directed  study 
through  books  and  videos  are 
less-expensive  alternatives. 

Cody  recalled  that  each  of 


HI  have  seen 

people  with  great 
paper  certifications 
who  could  not  trouble¬ 
shoot  their  way  out  of 
a  paper  bag.  Some  are 
great  test-takers,  but 
they  can’t  apply  it. 


ROBERT  ROSEN,  PRESIDENT, 
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costs.  Several  states  are  look¬ 
ing  to  companies  to  provide 
data-center  operations,  com¬ 
munications  systems,  payment 
systems  and  disaster  recovery 
as  services,  the  NASCIO  sur¬ 
vey  found. 

According  to  the  NASCIO 
report,  about  77%  of  the  state 
officials  surveyed  said  that 
they  had  either  consolidated 
data  centers  or  have  projects 
in  progress.  In  addition,  nearly 
85%  of  respondents  reported 
shared  data-center  services 
projects  under  way. 

The  consolidation  efforts 
and  the  use  of  and  demand  for 
shared  services  “were  higher 
than  I  expected  them  to  be,” 
said  John  Gillispie,  who  is 
chief  operating  officer  at  the 
Iowa  Department  of  Adminis¬ 
trative  Services’  Information 
Technology  Enterprise.  He  is 
also  co-chair  of  the  NASCIO 
committee  that  conducted  the 
survey  and  reported  some  of 
the  findings.  “I  think  every- 


Texas  Seeks  Help  in  Consolidating  Data  Centers 


his  four  certifications  required 
passing  four  or  five  exams. 

He  kept  the  total  cost  of  each 
certification  to  about  $125 
by  using  self-study  methods 
and  online  training  programs. 
Cody  estimated  that  class¬ 
room  training  for  each  exam 
would  have  cost  about  $3,000 
in  metropolitan  New  York. 

Of  course,  there  are  certi¬ 
fications,  and  then  there  are 
certifications,  noted  Neill 
Hopkins,  vice  president  of 
skills  development  at  The 
Computing  Technology  Indus¬ 
try  Association  Inc.  in  Oak- 
brook  Terrace,  Ill. 

Hopkins  divided  the  field 
into  high-  and  low-stakes 
certificates.  High-stakes  cer¬ 
tificates,  which  offer  the  most 
benefit,  involve  taking  carefully 
developed  tests  delivered  in  a 
proctored  setting.  Low-stakes 
tests  may  be  administered 
online  with  no  precaution 
against  cheating  or  imposters. 

Nonetheless,  Hopkins  said, 
low-stakes  testing  can  be  ben¬ 
eficial  for  self-assessment. » 


Wood  is  a  freelance  writer  in 
San  Antonio. 


body  is  seeking  efficiency,” 
Gillispie  said. 

There  are  several  factors 
driving  the  consolidation  and 
shared-services  efforts  by 
the  states,  including  aging  IT 
workforces,  legacy  systems 
and  the  advent  of  technologies 
that  many  staffs  aren’t  pre¬ 
pared  for,  said  John  Lovelock, 
an  analyst  at  Gartner  Inc. 

The  Stamford,  Conn.-based 
research  firm  predicts  that  by 
2010,  at  least  half  of  all  state 
governments  will  investigate 
outsourcing  initiatives  to  sup¬ 
port  major  operations. 

Lovelock  called  the  use  of 
shared  services  “an  enabling 
step”  that  moves  a  state  closer 
to  outsourcing,  because  it’s 
“taking  responsibility  a  half 
a  step  away”  from  the  state 
agency  that  uses  the  service. 

The  data-center  consolida¬ 
tion  in  Texas,  for  instance,  is 
seen  as  a  step  toward  improv¬ 
ing  interoperability  between 
various  agencies,  setting  the 
stage  for  the  use  of  shared 
services.  * 
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SAN  Helps  Chemical  Firm 
Keep  Oil  Wei  s  Pumping 


Benchmark  Energy 
taps  iSCSI  system 

BY  SHARON  FISHER 

Everyone  knows  you  can’t  do  a 
good  frac  job  without  slurry. 

And  nobody  knows  this  bet¬ 
ter  than  Steve  Collins,  manager 
of  IT  services  at  Benchmark 
Energy  Products  LP,  a  supplier 
of  chemicals  to  the  oil  industry. 

It’s  his  job  to  give  Bench¬ 
mark  workers  and  clients  the 
computer  resources  needed 
to  make  sure  that  the  slurry 
—  a  gel  that  turns  into  an  oat¬ 
meal-like  sludge  —  is  available 
for  “frac  jobs,”  where  the  gel 
is  pumped  into  an  oil  well  un¬ 
der  high  pressure  to  fracture 


the  ground  to  make  the  oil 
flow  better. 

Benchmark  installed  a 
$60,000  storage-area  network 
(SAN)  from  EqualLogic  Inc.  in 
Nashua,  N.H.,  about  a  year  ago 
to  improve  its  disaster  recov¬ 
ery  and  backup  capabilities. 
The  SAN  replicates  Bench¬ 
mark’s  BizNet  accounting  soft¬ 
ware  and  Microsoft  Exchange 
e-mail  data. 

Collins  said  the  accounting 
system  gets  replicated  every 
night  from  Benchmark  Ener¬ 
gy’s  Houston  headquarters  to 
its  largest  facility,  in  Midland, 
Texas,  over  the  SAN’s  3Mbit/ 
sec.  point-to-point  connection. 

The  SAN  provides  3TB 
of  storage  and  supports  130 


people  across  three  sites.  “The 
SAN  has  given  me  better  con¬ 
trol  of  our  volumes  and  data,” 
Collins  said. 

He  said  the  bulk  of  the  ac¬ 
counting  and  e-mail  data  was 
moved  onto  the  SAN  within 
two  weeks  of  starting  the 
project.  Now  the  company  is 
migrating  data  being  created 
as  it  upgrades  the  BizNet  soft¬ 
ware  to  work  with  Microsoft’s 
SharePoint  collaboration  soft¬ 
ware  and  Access  database. 

Benchmark  last  week  moved 
to  unify  its  backups  by  buying 
a  Dell  Inc.  LTO-3  autoloader, 
based  on  the  linear-tape  open 
standard,  that  is  consistent 
with  the  SAN.  It  performs  tape 
backups  using  EMC  Corp.’s 
Retrospect  software. 

Benchmark’s  clients  include 
oil  industry  giants  such  as 
Halliburton  Co.  and  Schlum- 
berger  Ltd.  “We’re  a  midsize 


We’re  a  midsize 
company,  and  it’s 
hard  to  get  to  ail  the  best 
practices  we  should  be 
doing.  We  need  a  lot 
of  bang  for  the  buck 
because  we’re  not  able 
to  throw  a  lot  of  people 
at  a  project. 

MANAGER 

OF  IT  SERVICES.  BENCHMARK 
ENERGY  PRODUCTS 


company,  and  it’s  hard  to  get 
to  all  the  best  practices  we 
should  be  doing,”  Collins  said. 
“We  need  a  lot  of  bang  for  the 
buck  because  we’re  not  able 
to  throw  a  lot  of  people  at  a 
project.”  The  SAN  has  become 
a  key  tool  for  meeting  those 
requirements,  he  said. 

Collins  began  evaluating 
backup  and  disaster  recovery 


technologies  more  than  a  year 
ago,  first  an  iSCSI  SAN  system 
from  EqualLogic  and  then 
Fibre  Channel  and  iSCSI  tech¬ 
nologies  from  EMC. 

Collins  said  he  was  im¬ 
pressed  with  the  ease  of  use 
of  EqualLogic’s  SAN  technol¬ 
ogy.  “I  was  already  pretty 
much  sold  on  iSCSI,”  he  said. 

“I  always  had  a  knock  against 
Fibre  Channel.  It’s  not  known 
for  how  easy  it  is  to  use.” 

As  for  EMC,  Collins  said, 
“they  were  pushing  Fibre 
Channel,  which  was  much 
more  expensive.”  EMC  also 
offered  an  iSCSI  SAN,  but 
Benchmark  went  with  Equal- 
Logic  instead. 

Roger  Cox,  an  analyst  at 
Gartner  Inc.  in  Stamford, 
Conn.,  said  that  while  EMC 
offers  similar  iSCSI  SAN  prod¬ 
ucts,  he  believes  that  Equal¬ 
Logic’s  is  easier  to  use.  ► 
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DON  TENNANT 


A  Documented  TJh-oh’ 


WHEN  Computerworld’s  Jaikumar 

Vijayan  broke  the  story  last  week 
about  a  Florida  county  that  posts 
on  its  Web  site  documents  with 
residents’  personal  information, 
we  knew  we’d  snagged  a  big  one.  But  it  wasn’t  until 
Vijayan’s  pursuit  of  the  story  uncovered  the  extent  to 


which  the  practice  is  car¬ 
ried  out  all  over  the  coun¬ 
try  that  we  understood 
what  we  were  on  to.  It 
was  then  that  an  expletive 
or  two  echoed  through 
the  newsroom.  Rough 
translation:  “Uh-oh.” 

It  began,  as  many  of  our 
stories  do,  with  a  tip  from 
a  reader.  Bruce  Hogman, 
a  resident  of  Broward 
County,  Fla.,  with  30 
years  of  IT  experience, 
wanted  us  to  be  aware 
that  the  county’s  Web  site  is  a  trea¬ 
sure  trove  of  personal  information 

—  including  Social  Security,  bank 
account  and  driver’s  license  numbers 

—  contained  in  property  records  and 
other  public  documents.  According 
to  Hogman,  Florida’s  two  senators, 
various  state  legislators,  the  FBI  and 
the  Federal  Trade  Commission  had 
all  turned  a  deaf  ear  to  his  concerns 
about  these  online  records  being 
used  to  aid  identity  theft  and  other 
forms  of  fraud. 

In  all  fairness,  it’s  not  surprising 
that  these  government  officials  might 
dismiss  Hogman  as  a  crackpot.  If  his 
concerns  were  legitimate,  why  hadn’t 
they  been  raised  sooner?  Why  hadn’t 
there  been  a  huge  clamor  about  a 
practice  that,  if  true,  would  be  so  bla¬ 
tantly  ill-conceived  and  contrary  to 
the  public  good? 

Yet  if  the  officials  had  bothered  to 
investigate  Hogman’s  claims,  they 
would  have  found  that  everything  he 
said  is  true.  If  any  one  of  them  had 
pi  oned  Sue  Baldwin,  director  of  the 
Broward  County  Records  Division, 
Baldwin  could  have  confirmed  it  as 
casually  and  as  matter-of-factly  as 
she  did  with  Vijayan. 


DON  TENNANT  is  editor 
in  chief  of  Computerworid. 
Contact  him  at  don.tennant® 


“All  this  information 
has  been  out  there  and 
available  since  the  begin¬ 
ning  of  time,”  she  told 
Vijayan  last  week.  “It  was 
out  there,  and  the  people 
who  were  educated  about 
it  knew  it  was  there.  It’s 
been  online  since  1999.” 
Moreover,  the  same  situ¬ 
ation  exists  in  “all  the 
counties  in  Florida  [and] 
lots  of  [other]  states,” 
Baldwin  said. 

Now  that  Vijayan’s 
reporting,  which  substantiated  those 
comments,  has  been  picked  up  by 
several  other  national  media  outlets 
and  we’ve  been  educated  about  what 
can  only  be  characterized  as  an  out¬ 
rageous,  far-reaching  breach  of  per¬ 
sonal  privacy  and  security,  it  will  be 
interesting  to  see  what  happens  next. 

State  and  county  governments 


will  likely  downplay  the  issue,  argu¬ 
ing  that  many  documents  by  statute 
are  available  for  public  reference  in 
county  offices,  and  that  going  the  on¬ 
line  route  saves  time  and  resources. 
Clearly,  making  images  of  these 
documents  available  online  was  done 
with  the  best  of  intentions,  but  the 
practice  was  horribly  shortsighted. 
Now  we  have  millions  of  document 
images  posted  online,  and  the  proc¬ 
ess  of  expunging  (typically  called 
“redacting”  in  document-imaging 
circles)  sensitive  information  such 
as  Social  Security  numbers  is  a  time- 
consuming,  expensive  process. 

It’s  difficult  not  to  feel  some  com¬ 
passion  for  cash-strapped  state  and 
county  governments  that  face  a 
problem  that’s  so  immediate  and  so 
overwhelming  in  its  scope.  But  deny¬ 
ing  or  downplaying  the  severity  of 
the  threat  is  unfair  to  the  millions  of 
people  whose  privacy  and  security 
are  potentially  at  stake.  And  equating 
the  availability  of  documents  online 
with  their  availability  in  a  locked 
county  courthouse  is  irresponsible. 

“Uh-oh”  is  right.  This  is  bad.  And 
nothing  short  of  immediate,  resolute 
action  to  make  it  better  is  acceptable. » 
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THORNTON  A.  MAY 

Leadership  Is 
Needed  to 
Handle  Data 

A  GOOD  FRIEND  who 

occupies  a  major  po¬ 
sition  in  a  prominent 
global  financial  services 

firm  is  very  concerned  about  the  state 
of  leadership  in  matters  involving  the 
management  of  personal  information. 
To  make  this  point  come  alive,  my 
friend  recently  challenged  a  group  of 
alpha  executives  attending  a  Value 
Studio  at  the  IT  Leadership  Academy 
to  explain  what  they  would  do  in  the 
following  hypothetical  situation: 

A  person  signs  up  for  a  subscription 
to  a  newspaper’s  online  service.  The 
newspaper  company,  in  the  normal 
course  of  setting  up  the  account,  col¬ 
lects  and  stores  information  about  the 
customer,  including  name,  address 
and  credit  card  number. 

Then,  in  the  nor¬ 
mal  course  of  provid¬ 
ing  its  service,  the 
newspaper  company 
tracks  which  articles 
the  customer  reads 
and  which  advertis¬ 
ing  links  she  clicks 
on.  After  some  time, 
the  customer  decides 
to  cancel  the  service. 

This  is  no  big  deal;  it 
happens  all  the  time. 

However,  not  only 
does  she  want  to  stop 
using  the  service, 
she  also  wants  her 
data  back.  In  fact,  she  wants  the  data 
expunged  —  not  merely  deleted,  but 
really  gone. 

Such  requests  to  leave  no  digital 
trace  aren’t  common  —  yet.  They  will 
be  the  norm  in  the  future. 

Having  set  up  this  scenario,  my 
friend  asked  the  Value  Studio  partici¬ 
pants  to  assume  roles  representing 
four  constituencies:  IT,  marketing, 
legal  and  corporate  affairs.  Faculty 
members  of  the  IT  Leadership  Acad¬ 
emy  played  the  customer,  the  CEO 
of  the  newspaper  company  and  the 
newspaper’s  board  of  directors. 

The  groups  were  given  10  minutes 
to  discuss  their  strategies,  after  which 
they  reported  their  suggested  course 
of  action  to  the  CEO. 


THORNTON  A.  MAY 
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YOUR  JOB  IS  TO  KEEP  SYSTEMS  AND  APPLICATIONS  RUNNING. 
OUR  MISSION  IS  TO  KEEP  PEOPLE  AND  INFORMATION  CONNECTED. 

LET’S  WORK  TOGETHER. 


Continuous  access  to  information  no  matter  what.  That’s  Information 
Availability.  It’s  what  your  employees,  suppliers  and  customers 
demand  every  minute  of  every  day.  But  to  deliver  it  flawlessly,  you 
need  a  massive  global  infrastructure,  redundant  systems  and  diverse 
networks  being  monitored  and  supported  by  skilled  technical  experts 
at  secure  facilities.  That’s  exactly  what  SunGard  provides. 

As  a  result,  we  can  offer  you  a  higher  level  of  availability  and  save 
your  company,  on  average,  25%*  versus  building  the  infrastructure 
yourself.  Plus,  it’s  a  vendor  neutral  solution  that  lets  you  control  your 
data,  applications  and  network  while  giving  you  the  flexibility  to 
adjust  to  the  changing  needs  of  your  business.  But  best  of  all,  it  lets 
you  spend  more  time  solving  business  problems  and  less  time 
solving  technical  problems. 


For  years,  companies  around  the  world  have  turned  to  SunGard 
to  restore  their  systems  when  something  went  wrong.  So,  it’s  not 
surprising  that  they’re  now  turning  to  us  to  mitigate  risk  and  make 
sure  they  never  go  down  in  the  first  place. 

You  want  your  network  and  systems  to  always  be  up  and  running. 
We  want  the  same  thing.  Let’s  get  together.  To  learn  more,  contact  us 
at  1-800-468-7483  or  go  to  www.availability.sungard.com/masteria 
and  get  your  free  copy  of  the  book  “Mastering  Information  Availability.” 

SUNGARD'  Effisk 

Availability  Services  I  Connected™ 

•Potential  savings  base:!  on  IDC  White  Paper,  Ensuring  Information  Availability:  Aligning  Customer 
heeds  with  an  Optimal  Investment  Strategy. 


“BY  UTILIZING  SUNGARD  FOR  AN 
ADVANCED  RECOVERY  SOLUTION, 

I  WAS  ABLE  TO  GET  MY  COMPANY 
BACK  UP  IN  A  MATTER  OF  HOURS, 


—  Brian  Finley,  CTO 
PSS/World  Medical  Inc. 


When  it  comes  to  being 
prepared  for  unplanned  IT 
interruptions,  you  need  to 
know  your  systems  are  either  always 
available  or  can  be  quickly  recovered. 
That’s  where  SunGard’s  Information 
Availability  solutions  can  help.  We 
deliver  the  secure  data,  systems, 
networks  and  support  you  require  to 
help  your  business  stay  in  business. 
Because  your  employees,  suppliers 
and  customers  rely  on  you  to  be 
available  every  minute  of  every  day, 
you  need  continuous  access  to 
information  no  matter  what  —  you 
need  Information  Availability. 

For  over  25  years,  businesses  have 
turned  to  SunGard  to  restore  their 
systems  when  something  went 
wrong.  So,  it’s  not  surprising  that 
they  now  turn  to  us  to  give  them 
options  to  make  sure  they  never  go 
down  in  the  first  place.  Plus, 
SunGard  offers  solutions  that  let 
you  remain  in  control  of  your  IT 
environment  and  enjoy  the  flexibility 
required  to  adjust  to  the  changing 
needs  of  your  business. 


SunGard  has  a  wide  range  of  solutions  to  meet  your  enterprise-wide  requirements.  Here  are  just  a  few 
of  those  solutions: 

Server  Replication  solutions  allow  you  to  minimize  data  loss  and  recovery  time  for  your  Microsoft® 
Windows®-based  applications.  If  your  server  is  unavailable,  for  whatever  reason,  you  can  have  a  fast 
and  easy  recovery  of  replicated  servers  located  at  a  SunGard  facility.  When  your  applications,  such  as 
databases,  e-mail  and  file  servers,  need  to  be  recovered  in  less  than  24  hours,  Server  Replication 
gives  you  data  center  redundancy  without  the  high  cost  of  building  your  own  secondary  facility. 

E-Mail  Availability  Service  helps  companies  ensure  that  their  electronic  communications  are  readily  available 
across  the  enterprise  despite  situations  that  impact  the  availability  of  servers,  software,  work  facilities  or 
staff.  SunGard’s  E-Mail  Availability  Service  can  have  you  back  up  and  running  in  less  than  a  minute. 

Hosted  Exchange  Service  can  help  you  to  offload  the  complex  management  of  Microsoft®  Exchange® 
servers,  licensing  and  patch  management.  SunGard  customers  can  also  recognize  a  lower  total  cost 
of  ownership*  for  their  e-mail  install  base. 

System  Recovery,  Mobile  Recovery,  Network  Recovery  and  End-User  Recovery  Services  help  you  get 
back  up  quickly  when  disaster  strikes. 

Your  job  is  to  keep  systems  and  applications  running.  Our 
mission  is  to  keep  people  and  information  connected.  Let’s 
work  together.  To  learn  more,  contact  us  at  1-800-468-7483 
or  go  to  www.availability.sungard.com/masteria  and  get  your 
free  copy  of  the  book  “Mastering  Information  Availability.” 

*The  Radicati  Group.  Radicati  White  Paper  “Microsoft  Exchange  2003  Total  Cost  of  Ownership." 
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The  legal  team,  predictably,  stuck  to 
the  letter  of  the  law.  It  was  their  belief 
that  the  newspaper  need  not  take  any 
action,  since  the  contract  gives  the 
customer  no  rights  to  her  data,  and  no 
such  rights  are  implied.  Their  position 
was  that  the  operative  legal  contract 
protects  the  newspaper  company  from 
such  requests.  Three  cheers  for  the  le¬ 
gal  team  for  such  a  textbook  display  of 
thinking  inside  the  box. 

Neither  the  corporate  affairs  team 
nor  the  marketing  team  was  happy 
with  the  legal  team’s  analysis.  The 
marketing  team  thickened  the  plot  of 
this  scenario  by  revealing  that  this 
customer  is  a  U.S.  senator  from  the 
state  with  the  newspaper  company’s 
most  profitable  customer  base  and  that 
her  husband  is  the  founder  of  a  mega¬ 
church  near  the  state  capital  that  has 
more  than  1  million  members.  Both  of 
these  teams  favored  going  beyond  what 
was  legally  required  to  try  to  satisfy 
the  ex-customer’s  request. 

As  for  IT’s  perspective,  the  techni¬ 
cal  team  reporting  to  the  CIO  wasn’t 
convinced  that  it  could  guarantee 
eradication  of  any  and  all  traces  of  the 
customer,  given  the  disjointed  state  of 
the  company’s  customer  data  systems. 

If  you  were  the  CIO,  what  would 
you  suggest?  If  you  were  the  CEO, 
what  would  you  want  your  CIO  to  tell 
you?  As  a  citizen  in  an  increasingly 
information-rich  world,  what  do  you 
think  is  the  right  thing  to  do? 

Please  send  me  your  response  and  I 
will  e-mail  you  the  aggregate  consen¬ 
sus  of  the  readership.  » 


DAVID  MOSCHELLA 

IT  Spreads, 

Industry  by 
Industry 

When  was  the  last 
time  that  news 
from  an  IT  vendor 
grabbed  the  attention  of  the 

enterprise  IT  community,  let  alone  the 
broader  business  media?  If  you’re  like 
most,  you  have  probably  shrugged  off 
Microsoft’s  Vista  delays  and  the  huge 
proposed  mergers  that  would  combine 
Lucent  with  Alcatel  and  AT&T  with 
BellSouth.  Compare  this  reaction  with 
the  frothy  front-page  coverage  once 
given  to  Windows  95,  the  browser  wars 
and  Linux. 

While  some  may  see  this  relative 


indifference  as  the  inevi¬ 
table  result  of  a  maturing  IT 
industry,  or  even  as  a  sign 
that  IT  no  longer  matters,  a 
closer  look  reveals  just  the 
opposite.  Enterprise  IT  has 
never  been  more  interesting, 
and  technology  is  now  driv¬ 
ing  business  transformation 
controversies  that  dwarf  the 
vendor  squabbles  of  the  past. 

Consider  the  following  10  IT 
stories  that  are  playing  out 
across  much  of  the  devel¬ 
oped  world. 

1.  Governments  are  debat¬ 
ing  if  and  how  they  should  move  to¬ 
ward  a  new  generation  of  identification 
cards  and  cross-linked  databases.  For 
better  or  worse,  both  could  be  power¬ 
ful  new  platforms  for  societal  security 
and  control. 

2.  The  health  care  industry  is  strug¬ 
gling  to  develop  the  standards  and 
cooperation  needed  to  automate  medi¬ 
cal  records  processing.  Few  paths  offer 
more  hope  for  better  care  and  more 
effective  cost  control. 

3.  The  insurance  industry  is  look¬ 
ing  at  the  same  sorts  of  health  records 
and  debating  whether  to  use  individual 
information  to  price  insurance  cover¬ 
age  based  on  family  history,  genetic 


proclivities,  driving  habits 
or  other  personal  traits  and 
behavior. 

4.  The  pharmaceutical 
industry  is  considering 
moving  away  from  its 
increasingly  problematic 
one-size-fits-all  drug  man¬ 
ufacturing  approach  to  de¬ 
veloping  products  that  are 
customized  to  the  needs 
of  smaller  groups  or  even 
individuals. 

5.  Book  publishers  and 
Google  are  locked  in  a 
fierce  legal  battle  to  deter¬ 
mine  what  will  constitute  “fair  use” 
on  the  Internet.  At  stake  is  the  scope 
and  manner  of  future  book-content 
innovation. 

6.  As  services  such  as  iTunes  and 
YouTube  take  off,  the  traditional  record 
and  television  companies  are  losing 
their  decades-old  grip  on  the  identifica¬ 
tion  and  promotion  of  new  entertain¬ 
ment  talent. 

7.  Unlike  checks,  credit  cards  and 
ATMs,  it  looks  as  if  both  Internet  and 
mobile  phone  payment  systems  will 
be  led  not  by  banks  but  by  new  entries, 
with  potentially  profound  effects  on 
the  evolution  of  the  financial  services 
industry. 


8.  For  reasons  of  cost  and  reliabil¬ 
ity,  both  retailers  and  manufacturers 
continue  to  hold  back  on  massive  RFID 
deployments,  with  major  implications 
for  supply  chain  advancements. 

9.  As  concerns  about  global  warming 
increase,  various  schemes  for  monitor¬ 
ing  and  charging  for  peak-hour  driving 
and  other  forms  of  energy  use  are  be¬ 
ing  either  planned  or  implemented. 

10.  While  the  public  Internet  devel¬ 
oped  almost  accidentally  as  an  open 
platform  not  controlled  by  any  one 
supplier,  there  is  no  guarantee  that  this 
will  always  be  so.  Backbone  transmis¬ 
sion  providers  are  seeking  to  expand 
their  influence. 

In  short,  every  industry  has  its  own 
IT-driven  story,  each  of  vital  interest 
to  its  sector.  Thus,  the  real  enterprise 
IT  action  has  moved  away  from  adopt¬ 
ing  general-purpose  products  and  is 
now  centered  on  business  and  industry 
change.  That’s  the  sort  of  maturity 
we  should  all  welcome.  How  is  your 
company’s  industry  changing?  And  are 
your  IT  organization’s  priorities  chang¬ 
ing  with  it?  » 

WANT  OUR  OPINION? 

OMore  columnists  and  links  to  archives  of  previous 
columns  are  on  our  Web  site: 

www.computerworld.com/columns 


Firefox  vs.  IE  vs. 
None  of  the  Above 

WHY  IS  IT  that  most  articles 
regarding  browsers  are 
about  Firefox  and  how  much 
better  it  is  than  Internet  Explorer 
[“Firefox  Finds  Cracking  the  Cor¬ 
porate  Market  to  Be  a  Challenge,” 
Feb,  13]?  While  I  agree  that  IE  has 
shortcomings,  Firefox  isn’t  much 
better.  It’s  slow  to  start,  has  an 
unpolished  appearance  and  has 
limited  support  for  Microsoft  tech¬ 
nologies  like  Microsoft  Challenge 
Handshake  Authentication  Proto¬ 
col.  Why  is  there  never  a  mention 
of  alternatives  like  Maxthon  and 
Avant  Browser?  These  browsers, 
which  are  more  like  wrappers  for 
IE  that  don’t  use  the  iexplore.exe 
executable,  offer  all  the  features 
of  Firefox  and  much  more,  such 
as  groups,  the  ability  to  resume 
saved  sessions,  locked  tabs,  RSS, 
ad  blocking  and  plug-ins  -  most 
without  the  extra  download  of 
extensions  or  plug-ins. 

Charles  Haven 

IT  manager,  High  Point,  N.C. 


Firefox  isn’t  a  100% solu¬ 
tion.  Because  many  interac¬ 
tive  Web  sites,  especially  those 
that  handle  transactions,  don't 
deal  with  it  well,  I  use  IE  when  do¬ 
ing  things  like  making  airline  res¬ 
ervations.  Nonetheless,  Firefox 
is  my  browser  of  choice,  and  I 
encourage  my  more  tech-savvy 
users  to  use  it. 

Bill  Pratt 

Camarillo,  Calif. 

Security  Should  Be 
Easier  and  Cheaper 

THE  Q&A  with  Thomas  Noonan, 
president  and  CEO  of  Internet 
Security  Systems  Inc.  ["New 
Threats  Outflank  IT  Defenses, 

Says  Vendor  Exec,”  Feb.  27],  was 
filled  with  such  vague,  evasive 
and  self-serving  answers  as  to  be 
totally  worthless. 

I  would  love  for  him  to  explain 
why  deploying  a  few  intrusion- 
detection  devices  or  enabling 
global  patch  management  for  a 
network  of  7,500  users  costs  so 
much,  even  when  the  technology 


is  alleged  to  be  highly  automated. 
Vendors  claim  that  they  want  us 
to  be  secure,  but  their  costs  for 
security  products  and  services 
outside  of  such  highly  competitive 
areas  like  antivirus  and  basic  anti¬ 
spam  are  priced  so  as  to  discour¬ 
age  comprehensive  deployment. 

It  isn’t  surprising  that  businesses 
often  take  a  gamble  with  certain 
types  of  threats  or  ignore  certain 
levels  of  risk. 

In  addition,  Microsoft,  Cisco  and 
other  infrastructure  vendors  are 
ultimately  doing  the  right  thing 
by  adding  security  functionality. 
Noonan  is  clearly  concerned 
about  what  this  will  do  to  demand 
for  his  products,  but  users  are 
tired  of  bolting  security  on  after 
the  fact. 

The  top  five  problems  with  data 
security,  as  I  see  them,  are  that 
defense-in-depth  strategies  are 
highly  desirable  yet  hideously 
expensive;  many  business  ex¬ 
ecutives  consider  the  inherent 
redundancy  of  defense  in  depth 
to  be  unnecessary;  companies 
are  more  concerned  with  avoiding 


bad  publicity  than  bad  security 
and  are  willing  to  gamble  on  the 
relationship  between  the  two; 
we  keep  trying  to  make  security 
“seamless,”  when  a  greater  benefit 
would  be  derived  from  changing 
user  processes;  and  business  ex¬ 
ecutives  greet  every  new  security 
deployment  with,  "Everything  is 
fixed,  right?” 

The  idea  that  security  is  ongoing 
has  yet  to  be  adequately  conveyed. 
Andrews.  Baker 
Director,  server  operations  and 
security,  Caldwell,  N.J. 

C0MPUTERW0RLD  welcomes 
comments  from  its  readers.  Letters 
will  be  edited  for  brevity  and  clarity. 
They  should  be  addressed  to  Jamie 
Eckle,  letters  editor,  Computer- 
world,  P0  Box  9171, 1  Speen  Street, 
Framingham,  Mass.  01701.  Fax: 
(508)  879-4843.  E-mail:  letters® 
computerworld.com.  Include  an 
address  and  phone  number  for  im¬ 
mediate  verification. 

OFor  more  letters  on  these 
and  other  topics,  go  to 

www.computerworld.com/letters 


DAVID  MOSCHELLA  is 

global  research  director  at 
the  Leading  Edge  Forum,  a 
Computer  Sciences  Corp. 
company.  Contact  him 

at  dmoschella@ 
earthlink.net. 
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YOUR 

In  my  Open  Enterprise,  confidence  flows 
freely  because  information  flows  securely. 

Every  identity,  transaction  and  document  represents  a  possible  security 
risk  for  your  company.  A  risk  that  could  cost  you  millions  in  litigation 
and  overhead  associated  with  data  and  intellectual  capital  theft — 
plus  your  reputation  and  brand  equity.  Security  and  Identity  solutions 
from  Novell®,  the  most  proven  in  the  industry,  centralize  identity 
management,  reducing  the  complexity  and  costs  of  managing  users 
and  access,  all  while  ensuring  regulatory  compliance  for  you. 

There’s  no  better  way  to  secure  your  enterprise.  Or  to  ensure 
that  your  data  is  working  for  you  and  not  against  you. 


Security  and  identity  solutions  from  Novell. 

This  is  the  way  to  secure  your  Open  Enterprise. 

Novell 

T  his  is  Your  Open  Enterprise™ 

www.novell.com/secure 

Copyright  2006  Novell.  Inc  All  Rights  Reserved.  Novell  and  the  Novell  logo  are  registered  trademarks. 

This  is  your  open  enterprise  and  Delme  your  open  enterprise  are  trademarks  ol  Novell.  Inc.  in  the 
i  Inited  States  and  olner  countries.  All  third-party  trademarks  are  the  property  ol  their  respective  owners. 
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Risk  Formula 

The  risk-based  security  model  is  “forcing 
us  to  think  more  strategically,”  says  Greg 
Avesian,  vice  president  of  enterprise  IT 
security  at  Textron.  PAGE  28 


Beyond  Posters 

You  need  more  than  catchy 
slogans  to  get  workers 
to  take  security  seriously. 
Here’s  how.  PAGE  42 


No  Silver  Bullet 

Risk  is  an  inherent  part  of  business,  says 
columnist  Mark  Hall.  The  biggest  secu¬ 
rity  mistake  you  can  make  is  to  take  a 
one-way  approach.  PAGE  51 


EDITOR’S  NOTE 


WE  SECURE  informa¬ 
tion  systems  because 
the  business  would  be 
brought  to  its  knees  if 
we  didn’t  protect  trade 
secrets,  vital  corporate  networks 
and  sensitive  data.  Yet  the  business 
would  also  be  brought  to  its  knees  if 
we  spent  every  last  dime  in  the  trea¬ 
sury  on  security.  Yes,  it’s  possible  to 
overspend  on  security.  The  trick  is 
to  figure  out  how  to  reach  what  ex- 
CIO  Doug  Lewis  calls  “the  prudent 
zone”  of  security  investment. 

Increasingly,  IT  leaders  are  using 
a  risk-based  model  that  directs  secu¬ 
rity  spending  to  the  places  where  a 
breach  would  cause  the  most  dam¬ 
age  to  the  business.  Companies  such 
as  Textron  and  Standard  Chartered 
Bank  are  already  headed  down  this 
road,  using  metrics  to  prioritize  se¬ 
curity  risks  and  allocate  resources  to 
mitigate  them  more  efficiently.  Some 
companies  use  a  dashboard  to  keep 
an  eye  on  all  of  those  security  met¬ 
rics  from  a  single  console.  Some  clas¬ 
sify  data  at  different  security  levels 
—  much  like  intelligence  agencies  do 
—  so  they  can  match  the  security  ef¬ 
fort  to  the  classification  level. 

This  new  model  is  replacing  “gut 
feel”  decisions  with  equations  like 
Risk  =  P  x  L,  where  P  is  the  prob¬ 
ability  of  an  event  that  will  cause  a 
financial  loss  of  L.  It’s  a  far  cry  from 
installing  a  firewall.  But  a  business- 
driven,  cost-benefit  approach  to  se¬ 
curity  investments  is  something  the 
chief  financial  officer,  CEO  and  board 
of  directors  can  embrace,  which  may 
be  the  most  important  benefit  of  all.  ► 

Mitch  Betts  is  executive  editor  at 
Computerworld.  Contact  him  at 
mitch_betts@computerworld.com. 


The  Business 
Of  Security 

IT  leaders  are  taking  a  more 
businesslike  approach  to  security 
and  risk  management. 


HOW  DO  YOU  TAKE  a  risk, 
have  five  people  take  a 
look  at  it  and  have  a  con¬ 
sistent  measure  of  what  it 
might  cost  the  business?” 
asks  Greg  Avesian,  vice 
president  of  enterprise 
IT  security  at  Textron  Inc.  It’s  not  a 
rhetorical  question:  The  $10  billion  con¬ 
glomerate,  based  in  Providence,  R.I.,  re¬ 
cently  embraced  the  risk-based  security 
model,  and  quantifying  the  potential 
damages  of  various  threats  is  one  of  the 
discipline’s  major  challenges. 

In  the  IT  arena,  security  spending 
has  traditionally  been  tactical,  even 
scattershot,  with  a  rationale  difficult  to 
pin  down  beyond  a  vague  idea  that  —  to 
take  a  cue  from  Emil  Faber,  founder  of 


The  latest  approach  to  (k(k 
security  is  to  put  money 
where  damage  from  a 
breach  would  be  greatest. 

By  Steve  Ulfelder 


www.computerworld.com 


Faber  College  of  Animal  House  fame 
—  Security  Is  Good.  The  risk-based  se¬ 
curity  model  is  an  effort  to  change  that. 

“Organizations  are  beginning  to  deal 
with  risk  coherently,”  says  Chris  Byrnes, 
an  analyst  at  Gartner  Inc.  “Rather  than 
viewing  infosec  as  an  island,  they’re 
looking  across  a  broader  set  of  risks.” 

The  risk-based  model  can  be  a  big 
win  for  the  enterprise  because  it  di¬ 
rects  spending  where  it’s  needed  most, 
resulting  in  stronger  security.  But  IT 
groups  are  struggling  to  master  the 
challenges  of  the  still-new  concept. 

Logical  Progression 

In  the  risk-based  model,  IT  and  security 
managers  work  with  business  units  to 
identify  the  biggest  threats  to  the  busi¬ 
ness  and  then  set  priorities  for  security 
investments.  In  essence,  this  model  is  a 
cost-benefit  analysis  to  ensure  that  the 
security  budget  is  spent  wisely. 

Clearly,  then,  the  risk-based  security 
model  is  a  logical  outcome  of  the  tight¬ 
ening  bond  between  business  priorities 
and  technology  expenditures.  Just  as 
portfolio  management  and  other  disci¬ 
plines  tie  IT  spending  to  the  most  pro¬ 
ductive  business  initiatives,  risk-based 
security  prioritizes  spending  by  the 
potential  damage  of  various  threats. 

At  Textron,  “we  looked  at  [risk-based 
security]  because,  like  everybody  else, 
we’ve  got  a  finite  amount  to  spend  on 
risk  mitigation,”  Avesian  says.  The  new 
model,  he  adds,  “has  helped  us  develop 
a  consistent  framework  when  evaluat¬ 
ing  risk,  and  it’s  forcing  us  to  think 
more  strategically.”  The  company  has 
long  emphasized  process  and  views  the 
risk-based  model  as  a  complement  to 
its  efforts  to  comply  with  the  Sarbanes- 
Oxley  Act  and  its  devotion  to  both  the 
Six  Sigma  quality-control  methodology 
and  Control  Objectives  for  Information 
and  Related  Technology  (Cobit),  a  set 
of  best  practices  for  IT  management. 

Sarbanes-Oxley  and  Cobit  each 
introduced  robust  controls,  Avesian 
says,  while  Textron’s  Six  Sigma  his¬ 
tory  taught  it  to  standardize  processes 
wherever  possible  —  which,  in  turn, 
entailed  measuring  progress  on  that 
standardization.  Indeed,  Textron  has 
a  resident  Six  Sigma  Black  Belt  (a  rare 
level  of  expertise)  who  is  the  compa¬ 
ny’s  risk-based  “process  owner.” 

Analysts  and  security  managers 
say  the  growing  importance  of  regula¬ 
tory  compliance  has  encouraged  the 
adoption  of  risk-based  security.  Many 
demands  of  Sarbanes-Oxley,  the  Health 
Insurance  Portability  and  Accountabil¬ 
ity  Act  and  other  regulations  not  only 
help  companies  become  aware  of  secu¬ 
rity  risks  they  may  have  overlooked,  but 
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also  dictate  controls  to  plug  the  holes. 

That’s  what  happened  at  Canadian 
Pacific  Railway  Ltd.,  a  multibillion- 
dollar  business  with  about  8,500  SAP 
users.  In  its  push  to  comply  with  Sar- 
banes-Oxley  (which  the  company  had 
to  follow  because  it  does  extensive 
business  with  U.S.  trading  partners), 
the  railway  ran  Compliance  Calculator, 
a  tool  from  Fremont,  Calif.-based  Virsa 
Systems  Inc.  According  to  Margaret 
Sokolov,  SAP  security  and  controls 
lead  at  Calgary,  Alberta-based  Cana¬ 
dian  Pacific,  the  compliance  software 
demonstrated  that  “we  had  some  seg- 
regation-of-duties  issues”  that  were 
problematic  for  both  Sarbanes-Oxley 
compliance  and  information  security. 

The  security  risks  uncovered  in¬ 
volved  an  area  in  which  most  busi¬ 
nesses  underspend:  company  insiders. 
Like  most  large  SAP  users,  Canadian 
Pacific  has  a  cadre  of  “superusers”  and 
subject-matter  experts  who  push  SAP 
development  forward.  These  end  users 
had  been  granted  extraordinary  access 
to  data  and  code  so  that  they  could 
tweak  interfaces  and  processes. 

When  Virsa  flagged  this  access  as  a 
barrier  to  Sarbanes-Oxley  compliance, 
Sokolov’s  team  members  realized  that  a 
severe  threat  to  data  security  was  right 
under  their  noses  (although  Sokolov 
hastens  to  add  that  the  company  found 
no  evidence  whatsoever  of  wrongdoing). 
Prompted  by  Virsa,  the  railroad  closed 
the  vulnerability  with  a  series  of  con¬ 
trols.  Now,  when  SAP  superusers  set  out 
to  alter  code  in  an  unusual  way,  a  note 
about  the  activity  is  automatically  sent 
to  their  managers.  Afterward,  a  com¬ 
plete  log  of  the  activity  is  also  sent  for 
review  and  approval. 

“This  was  a  case  where  [compliance 
software]  made  us  aware  that  we  need¬ 
ed  to  direct  additional  spending  toward 
an  inside  risk,”  Sokolov  says. 

IT’s  Role 

Adopting  risk-based  security  is  not 
only  inexpensive;  properly  imple¬ 
mented,  it  also  cuts  costs  two  ways  in 
the  long  term.  First,  fewer  dollars  flow 
to  security  efforts  in  which  risks  are 
low.  And  second,  the  additional  money 
spent  to  reduce  high-impact  risks  can 
save  an  organization  enormous  sums 
by  preventing  lawsuits,  safeguarding 
proprietary  information  and,  in  the 
case  of  publicly  traded  companies, 
averting  negative  publicity,  which  can 
pummel  stock  prices. 

While  risk-based  security  may  re¬ 
move  a  certain  amount  of  control  from 
IT’s  hands,  the  IT  group  has  a  substan¬ 
tial  role  to  play.  According  to  Forrester 
Research  Inc.  analyst  Michael  Rasmus- 
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sen,  understanding  and  assessing  vari¬ 
ous  IT  risks  “generates  a  mountain  of 
data  that  needs  to  be  translated  into 
meaningful  information.”  Forrester 
suggests  that  IT  groups  implement  risk 
dashboards  and  risk  indicators  such  as 
intrusion-detection  systems  to  effect 
this  translation. 

According  to  Rasmussen,  several 
vendors  are  beta-testing  risk  dash¬ 
boards,  while  “some  organizations  use 
SMTP  applications  to  develop  them  in¬ 
ternally.”  A  fully  operational  dashboard, 
he  adds,  will  include  systems  monitor¬ 
ing  and  server  status  functionality,  as 
well  as  automated  alerts  for  exceptions. 
The  presentation  layer  will  be  custom¬ 
ized  depending  on  the  end  user  —  a 
senior  business  executive  may  see  only 
a  red-light/green-light  indicator  on  his 
home  page,  while  IT  staffers  would  of 
course  see  much  more  detail. 


In  the  early  stages  of  a  shift  to  risk- 
based  security,  IT  must  also  conduct  an 
inventory  of  all  technology  assets  and 
then  assign  a  value  to  each  —  one  of  the 
trickiest  phases  of  the  process.  This  is 
where  ephemeral  fears  must  be  turned 
into  hard  data.  Questions  include, 
“What  is  the  fiscal  impact  if  a  given  sys¬ 
tem  goes  down?”  and  “What’s  the  fiscal 
impact  if  data  integrity  or  confidential¬ 
ity  is  compromised?”  The  answers  must 
address  not  only  short-term  transac¬ 
tional  problems  but  also  the  effects  on 
customer  loyalty  and  stock  value. 

Gartner’s  Byrnes  says  it’s  vital  that 
business  process  owners  be  involved  in 
this  stage. 

Says  Avesian,  “I  spent  six  months 
last  year  finding  a  single  person  in  each 
[of  Textron’s  20-plus  units]  to  serve  as 
a  focal  point  for  security  assessments.” 
He  has  formed  a  25-member  IT  risk 
management  team  that  meets  monthly 
and  is  part  of  Textron’s  formal  gover¬ 
nance  process. 

IT  must  also  play  a  strong  role 
when  controls  are  being  assessed  and 
written.  That’s  hardly  new,  but  in  risk- 
based  security,  there’s  a  twist. 

In  the  past,  once  the  need  for  a  con¬ 
trol  was  established,  IT  would  simply 
be  sent  off  to  create  it,  with  little  atten¬ 
tion  paid  to  the  price  tag.  But  any  con¬ 
trol  —  from  an  improved  firewall  to  an 
appropriate-use  policy  —  has  an  associ¬ 
ated  cost.  Under  the  risk-based  model, 
these  costs  must  be  closely  matched  to 
the  potential  fiscal  impact  of  the  risk. 

Pinning  Down  the  Numbers 

For  IT,  the  challenges  of  the  risk-based 
security  model  are  as  familiar  as  they 
are  thorny.  For  starters,  the  CIO  or  se- 


In  Search  of  a  Methodology 


RISK-BASED  SECURITY  cries  out  for  a 
standardized  approach  to  risk  assessment. 
To  date,  the  closest  thing  to  a  leader  in 
this  nascent  field  is  from  Carnegie  Mellon 
University’s  Software  Engineering  Institute. 

Operationally  Critical  Threat,  Asset  and 
Vulnerability  Evaluation,  or  OCTAVE,  is  a 
seif-directed  methodology  you  can  use  to 
determine  your  risk  exposure  in  the  con¬ 
text  of  business  activities  and  priorities. 
OCTAVE’S  creators  say  the  system  can  be 
used  to  accomplish  the  following: 

■  Identify  information  assets,  vulner¬ 
abilities  and  threats. 

a  Protect  data  both  tactically  and 
strategically. 

■  Set  up  an  internal  assessment  team. 


a  Provide  the  risk  assessments  de¬ 
manded  by  HIPAA,  Sarbanes-Oxley  and 
other  regulations. 

While  none  of  the  businesses  inter¬ 
viewed  for  this  article  use  OCTAVE  today, 
all  say  it’s  on  their  radar  screens  as  the  top 
risk-based  security  methodology.  Gartner 
analyst  Chris  Byrnes  agrees  with  that 
assessment.  He  adds  that  if  OCTAVE  has 
a  weak  point,  it’s  that  “you  need  an  ad¬ 
vanced,  sophisticated  governance  model 
in  place  to  really  get  the  most  out  of  it” 

-  thus,  the  businesses  that  need  OCTAVE 
the  most  may  be  those  that  are  least  able 
to  take  advantage  of  it. 

To  learn  more,  visit  www.sei.cmu.edu. 

-  STEVE ULFELDER 


curity  officer  must  establish  an  ongoing 
relationship  with  key  business  units, 
for  fact-finding  and  to  stay  abreast  of 
changing  risks.  Moreover,  the  essential 
need  is  to  quantify  that  which  may  re¬ 
sist  quantification;  assigning  a  risk  fac¬ 
tor,  and  in  particular  loss  estimates,  to 
a  new  product  or  partnership  is  hardly 
an  exact  science. 

One  aspect  of  the  risk-based  model 
may  take  some  getting  used  to  for  IT: 

As  information  security  ceases  to  be 
a  stand-alone  entity  and  is  instead 
absorbed  into  the  larger  risk  picture, 
responsibility  for  it  may  be  pulled  from 
the  technology  group.  “We  believe  30% 
of  [Gartner’s]  client  base  has  taken  in- 
fosec  away  from  the  CIO,”  Byrnes  says. 

Indeed,  the  most  advanced  form  of 
risk-based  security,  dubbed  enterprise 
risk  management,  is  being  pushed  hard 
by  the  large  auditing  firms.  Many  busi¬ 
nesses  that  have  gone  whole-hog  into 
ERM  (including  virtually  all  financial 
services  companies,  according  to 
Byrnes)  have  named  chief  risk  officers 
who  report  to  the  CEO  or  even  the 
board  of  directors  (see  “Risk  Reducer,” 
page  48). 

Tim  Maletic,  information  services 
security  officer  at  Grand  Rapids,  Mich.- 
based  Priority  Health,  is  part  of  a  team 
mulling  a  move  to  risk-based  security. 
But  he  remains  unconvinced  of  the 
feasibility  of  assigning  an  accurate  cost 
figure  to  various  threats.  “In  a  general 
way,  spending  your  [security]  dollars 
where  you  can  get  the  most  protection 
is  just  sensible,”  he  says.  “And  that’s 
what  we’re  doing.” 

As  an  example,  he  points  to  the 
health  care  company’s  recent  imple¬ 
mentation  of  Cupertino,  Calif.-based 
ArcSight  Inc.’s  Enterprise  Security 
Manager  application.  The  ESM  pack¬ 
age  compiles  and  simplifies  reports 
from  firewalls,  intrusion-detection  sys¬ 
tems,  and  antispyware  and  antispam 
software,  and  thus  is  “the  next  logical 
step,”  Maletic  says. 

And  even  though  ArcSight  has  in¬ 
deed  helped  him  spend  his  security 
budget  where  it’s  needed  most  —  es¬ 
pecially  where  staffing  is  concerned 
—  Maletic  is  skeptical  about  a  grand 
concept  that  claims  to  quantify  all 
security  risks. 

He’s  not  the  only  skeptic.  Risk-based 
security,  while  an  appealing  idea,  ap¬ 
pears  to  demand  a  level  of  governance 
and  cooperation  with  business  units 
that’s  rare  in  the  day-to-day  roller 
derby  of  operational  IT.  ► 


Ulfelder  is  a  freelance  writer  in  South- 
boro,  Mass.  Contact  him  at  steve@ 
ulfelder.com. 
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_THE  INVASION 


_DAY  13:  These  underpowered  boxes  are  killing  us.  They  can’t 
handle  the  workloads.  They  can’t  handle  the  transactions . 

They  can’t  handle  the  growing  number  of  users.  And  I  for  sure 
can’t  handle  the  costs. 

_l’m  putting  all  this  junk  out  where  it  belongs  and  buying 
some  real  servers. 

_DAY  15:  I’ve  taken  back  control  by  moving  to  the  IBM  System  p™ 
platform.  It’s  number  one  in  over  70  leading  benchmarks.1 
Take  transaction  processing  for  instance  —  the  System  p5  570 
processes  three  times  as  many  transactions  per  minute  as  the 
HP  rx8620!  And  its  price/performance  is  better.2  It’s  all  I 
ever  wanted  in  a  UNIX®  server. 

_As  for  the  old  servers,  well... they  kept  crashing. 

Into  the  ground. 


IBM.C0M/TAKEBACKC0NTR0L/p5 


S'  COMPUTERWORLD  April  17, 2006 


www.computerworld.com 


KNOWLEDGE  CENTER  SECURITY 


Security  dash¬ 
boards  offer 
systemwide 
visibility  from  a 
central  console. 
By  Drew  Robb 
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The  nFX  Open  Security  Platform  from  netForensics  monitors  security  events  on  a  single 
console,  allowing  Wheaton  Franciscan  Services  to  isolate  threats  earlier, 
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IT’S  USELESS  trying  to  manage  a 
battle  when  immersed  in  the  fray.  So 
generals  have  traditionally  operated 
from  a  hilltop  where  they  have  an 
overview  of  the  conflict  below.  Effec¬ 
tive  information  security  management 
requires  that  same  type  of  visibility. 

Lee  A.  Kadel,  information  security 
analyst  at  Wheaton  Franciscan  Ser¬ 
vices  Inc.  (WFS),  oversees  security  at 
the  nonprofit’s  data  center  in  Glendale, 
Wis.,  as  well  as  connections  to  its  17 
hospitals  and  more  than  70  clinics  in 
Colorado,  Illinois,  Iowa  and  Wisconsin. 
He  was  running  nearly  100  security 
devices,  including  firewalls,  intru¬ 
sion-protection  systems  (IPS),  virtual 
private  network  (VPN)  con¬ 
centrators  and  authentica¬ 
tion  servers,  but  had  no  way 
to  gain  overall  insight  into 
the  security  status  of  the 
network. 

“We  had  to  manually  re¬ 
view  the  firewalls,  manually 
review  the  VPN  logs  and 
monitor  the  security  logs  on 
the  authentication  servers,” 
says  Kadel.  “There  were 
some  devices  we  couldn’t 
manage  easily  because  the 


volume  of  event  log  data  was  just  too 
great.”  Like  many  other  security  man¬ 
agers,  Kadel  found  that  by  installing  a 
security  information  management  con¬ 
sole,  he  was  able  to  cut  down  the  moni¬ 
toring  workload  and  isolate  threats 
earlier,  as  well  as  reduce  downtime  by 
discovering  configuration  errors. 


LEE  A.  KADEL,  information 
security  analyst  at  Wheaton 
Franciscan  Services 


Limited  Dashboards 

To  bring  security  and  reporting  up  to 
the  level  required  for  compliance  with 
the  Health  Insurance  Portability  and 
Accountability  Act,  Kadel  installed 
Edison,  N.J.-based  netForensics  Inc.’s 
nFX  Open  Security  Platform  on  five 
servers  in  an  isolated  storage-area  net¬ 
work  environment.  NFX  agents  receive 
or  collect  the  data  from  WFS’s  security 
devices.  The  data  is  translated  into  a 
common  database  format  for  storage, 
analysis  and  reporting. 

“I  have  a  dedicated  mon¬ 
itor  on  my  desk,  so  I  can 
see  the  state  of  our  net¬ 
work  security  at  any  given 
point  in  time,”  Kadel  says. 

I : .  “It  has  given  us  greater 
visibility  and  better  reac¬ 
tion  time.” 

Some  software  vendors 
sell  products  called  dash¬ 
boards  that  are  in  fact 
just  central  management 
consoles  for  particular  se¬ 


curity  products.  But  that  doesn’t  mean 
that  such  products  aren’t  helpful. 

For  example,  New  York  Community 
Bank  uses  CA  Inc.’s  Integrated  Threat 
Management  R8.  ITM  unifies  CA’s  Pest- 
Patrol  Anti-Spyware  Corporate  Edition 
and  its  antivirus  software  into  a  single 
console.  The  bank  uses  ITM  to  centrally 
manage  3,500  desktops  at  170  branches 
in  the  greater  New  York  area,  as  well  as 
its  servers.  With  ITM,  help  desk  staff¬ 
ers  can  remotely  scan  the  workstations 
rather  than  having  to  travel  to  a  site 
and  do  it  manually.  “Each  branch  has 
its  own  server  and  PCs,”  says  Assistant 
Vice  President  Dan  Koppelman.  “It  has 
saved  us  a  lot  of  time  and  costs,  not  hav¬ 
ing  to  keep  IT  staff  on  the  road  going 
from  PC  to  PC.” 

But  unlike  nFX,  such  a  console  can’t 
be  considered  a  true  security  dashboard. 

“This  dashboard  can  be  called  a  vul¬ 
nerability  management  dashboard  or 
antivirus  dashboard,  but  not  a  security 
dashboard,”  says  Khalid  Kark,  an  ana¬ 
lyst  at  Forrester  Research  Inc.  “A  real 
security  dashboard  would  need  to  look 
at  security  controls  in  a  comprehensive 
fashion  and  generate  reports  on  it.” 

Koppelman  has  evaluated  going  to  a 
more  complete  dashboard  but  says  that 
what  he  has  now  meets  his  company’s 
needs.  But  at  VeriSign  Inc.  in  Mountain 
View,  Calif.,  a  higher  degree  of  control 
is  needed  for  protecting  the  root  serv¬ 


ers  for  the  .com  and  .net  domains,  as 
well  as  providing  managed  security 
services  to  thousands  of  enterprises. 
VeriSign  must  protect  thousands  of 
production  and  enterprise  servers  and 
hundreds  of  firewalls  and  intrusion- 
detection  systems  (IDS). 

“There  were  too  many  places  to  look 
for  information,”  says  Ken  Silva,  Veri¬ 
sign’s  chief  security  officer.  “The  idea  is 
to  centralize  that  into  a  common  console 
so  you  really  have  only  one  place  to  look.” 

VeriSign  selected  a  security  manage¬ 
ment  suite  from  OpenService  Inc.  in 
Marlboro,  Mass.,  because  of  its  exten¬ 
sibility.  It  provided  about  80%  of  the 
needed  functionality  out  of  the  box. 

“We  had  the  whole  system  up  in 
about  two  weeks,  and  most  of  that  time 
was  spent  fine-tuning  for  the  other 
20%  that  it  didn’t  do  out  of  the  box,” 
Silva  says.  “There  are  some  events  that 
we  uniquely  have  at  our  company  that 
obviously  couldn’t  be  preprogrammed 
into  the  system.” 

The  system  pulls  information  from 
the  server  monitoring  service,  in-house 
applications  that  monitor  the  domain 
name  service  and  IDS,  IPS,  firewall  and 
router  logs.  All  events  are  sent  to  a  cen¬ 
tral  Unix  box  that  correlates  them  and 
synthesizes  them  into  a  common  event. 

Silva  reports  that  network  opera¬ 
tions  center  staffers  now  monitor  only 
a  single  console  instead  of  a  dozen,  and 
they  no  longer  have  to  dig  through  sev¬ 
eral  logs  to  find  what  is  triggering  an 
event.  They  have  been  able  to  reduce 
mean  time  to  detection  by  30%  to  50%. 

“If  done  well,”  says  Kark,  “a  com¬ 
prehensive  security  dashboard  can  not 
only  save  a  tremendous  amount  of  time 
and  effort  for  the  organization,  but  also 
helps  security  managers  get  more  vis¬ 
ibility  into  their  security  posture.”  » 


Robb  is  a  Computerworld  contributing 
writer. 
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How  to  stoke  the  securil 


ity 

funding  fires  and  articulate 
the  value  of  resources  already 
spent.  By  Mary  Brandel 


Spending 


Fatigue 


Xerox  corp.  takes  informa¬ 
tion  security  pretty  seri¬ 
ously.  It  regularly  conducts 
network  vulnerability  scans, 
as  well  as  corporate  audits 
of  its  risk  mitigation  efforts. 
A  compliance  program  buoys  employee 
awareness  of  its  security  processes 
—  as  well  as  its  disaster  recovery, 
information  privacy  and  Sarbanes- 
Oxley  Act  policies  —  and  an  executive 
board  champions  adherence  to  them 
all.  Meanwhile,  the  security  budget  at 
the  Stamford,  Conn.-based  company  is 
holding  steady  compared  with  last  year, 
even  as  its  other  IT  spending  is  down. 

And  yet,  as  Xerox  Chief  Security 
Officer  Audrey  Pantas  says,  “you  never 
get  as  much  you’d  like  —  you  could 

Continued  on  page  36 
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Regulatory  Driver 


THERE’S  NOTHING  LIKE  a  regulation 
to  help  justify  security  expenditures. 
Nothing  shapes  a  funding  argument 
quite  so  well  as  the  threat  of  fines,  jail  or 
marred  reputation  resulting  from  regula¬ 
tory  noncompliance. 

However,  IT  has  to  be  careful  about 
how  hard  and  how  often  it  pushes  the 
compliance  button.  One  reason  is  that 
organizations  are  increasingly  appoint¬ 
ing  people  specifically  for  that  job,  and 
IT  should  work  with  them  -  as  well  as 
with  the  legal  department,  auditing  and 
internal  risk  management  -  and  base 
security  investments  on  the  decisions 
that  come  out  of  those  bodies. 

“I’ve  had  feedback  that  it  sometimes 
looks  like  IT  or  the  security  department 
is  the  tail  trying  to  wag  the  compliance 
dog,"  says  Tom  Scholtz,  an  analyst  at 
Gartner.  “IT  should  be  a  key  partner  but 
shouldn’t  hijack  the  debate  and  lead  the 
effort.” 

In  particular,  Scholtz  warns,  don’t  use 
compliance  as  an  excuse  for  security 
projects  that  otherwise  wouldn’t  have 
been  justified. 

In  other  words,  “coordinate  but 
don’t  duplicate,”  according  to  Robert 
Charette,  director  of  the  enterprise  risk 


management  and  governance  practice 
at  Cutter  Consortium. 

At  the  same  time,  it  can  be  frustrating 
to  stand  by  and  watch  as  your  company 
refuses  to  make  investments  in  secur¬ 
ing  areas  that  aren’t  regulated. 

“I  have  designed  security  for  dozens 
of  companies,  and  none  of  them  have 
ever  secured  anything  they  didn’t  abso¬ 
lutely  have  to,  especially  customer  data,” 
says  Mark  Rhodes-Ousley,  an  informa¬ 
tion  security  architect.  “Even  the  simple 
precaution  of  encryption  is  almost  never 
practiced." 

With  the  possibility  of  regulations 
requiring  encryption  on  hard  drives 
looming  on  the  horizon,  Rhodes-Ousley 
is  starting  to  see  companies  deploy 
encryption  on  their  endpoint  worksta¬ 
tions.  “This  is  only  a  beginning,  but  I’m 
hopeful,”  he  says. 

“It  shouldn’t  take  a  federal  law  to 
make  a  company  start  caring  about  how 
the  personal  information  that  they’ve 
been  trusted  with  is  being  handled,” 
says  Christopher  Bomar,  founder  of 
Boomarang.  “But  unfortunately,  that’s 
how  companies  are  operating  now  as 
a  majority.” 

-MARYBRANDEL 


Continued  from  page  34 
always  do  more.”  And  that  sums  up 
the  mind-set  surrounding  IT  security 
at  corporations  today:  No  matter  how 
much  money  you  pour  into  it,  you’ll  al¬ 
ways  need  to  go  back  to  the  well. 

With  growing  threats,  increased 
regulations  and  plenty  of  media  cover¬ 
age  when  incidents  do  occur,  execu¬ 
tives  have  never  been  more  aware  of 
the  importance  of  IT  security.  At  the 
same  time,  spending  fatigue  may  be 
creeping  into  the  boardroom,  as  CXOs 
increasingly  look  for  the  business  value 
earned  on  the  security  dollars  spent. 

“Senior  management  knows  there’s 
a  problem,  but  it  seems  that  every  day 
the  problem  gets  worse,  and  it’s  like 
there’s  no  end  in  sight,”  says  Robert 
Charette,  director  of  the  enterprise  risk 
management  and  governance  practice 
at  Cutter  Consortium,  an  IT  consul¬ 
tancy  in  Arlington,  Mass.  “There’s  the 
feeling  that  they  could  give  security 
every  single  penny  and  it  still  wouldn’t 
be  enough.” 

To  keep  the  security  budget  from 
looking  like  a  black  hole,  you  need  to 
articulate  the  value  of  the  money  being 
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Base/571  IT  professionals 

spent.  Here  are  some  do’s  and  don’ts 
for  doing  just  that. 

DON’T  Use  Scare  Tactics 

Every  day,  it  seems,  a  story  emerges 
about  a  backup-tape  theft  or  compro¬ 
mised  customer  data.  But  don’t  overuse 
these  incidents  when  seeking  to  justify 
your  funding  requests.  “CXOs  can  be¬ 
come  desensitized  or  jaded  if  they  hear 
too  much  about  reports  that  they  don’t 
think  affect  them,”  says  Christopher 
Bomar,  founder  of  Boomarang  LLC, 
an  online  data-backup  service  firm  in 
Cincinnati. 

“FUD  has  been  used  up,”  agrees 
Mark  Rhodes-Ousley,  an  information 
security  architect  and  author  of  Net¬ 
work  Security:  The  Complete  Reference 
(McGraw-Hill  Osborne  Media,  2003). 
“So  many  people  have  cried  wolf  that 
executives  are  inured  to  scary  stories.” 

You  might,  however,  consider  us¬ 
ing  recent  security  incidents  to  shed 
light  on  your  company’s  needs.  For 
instance,  you  can  send  out  regular 
e-mails  that  put  news  stories  into 
perspective  and  show  how  they  apply 
—  or  don’t  —  to  your  business,  says  Bob 
Dehnhardt,  network  and  information 
security  manager  at  TriNet,  a  human 
resources  services  firm  in  San  Leandro, 
Calif.  “You  can  use  these  incidents  as 
an  opening,  but  back  them  up  with  a 
strong  business  case,”  he  says. 

For  instance,  when  a  report  comes  out 
about  backup  tapes  being  stolen,  point 
out  what  happened  to  the  company’s 
stock  price  on  the  day  the  story  broke, 
says  Gary  McGraw,  chief  technology 
officer  at  security  consultancy  Cigital 
Inc.  and  author  of  Software  Security: 
Building  Security  In  (Addison-Wesley 
Professional,  2006). 

DO  Use  Horizon  Planning 

Instead  of  asking  for  funding  several 
times  a  year,  project  the  security  costs 
that  need  to  be  incurred  over  a  12-to-24- 
month  time  horizon,  Rhodes-Ousley 
says.  “CXOs  can  swallow  that  more 
easily,”  he  says.  “If  you  say  you  need 
certain  things  next  year,  you  can  get 
funding  more  easily  than  saying  you 
need  something  now.” 

At  Xerox,  Pantas  develops  a  three- 
to-four-year  strategic  plan  for  the 
company’s  security  efforts  and  then 
prioritizes  which  of  those  projects  to 
pursue  in  the  ensuing  year.  “I  do  work 
off  an  overall  strategic  plan  on  where 
we  want  to  take  security,”  she  says. 

DO  Let  the  CX0 
Define  Acceptable  Risk 

Business  executives  deal  with  risk  all 
the  time,  so  before  forking  over  money 


for  protecting  corporate  systems  and 
data,  they  first  want  to  know  the  de¬ 
gree  of  legal,  financial,  operational  and 
strategic  risk  they’re  facing.  Only  then 
can  they  decide  how  much  they  need 
to  mitigate  their  exposure  and,  thus, 
how  much  they  want  to  spend. 

“If  the  CIO  is  bringing  concrete 
evidence  of  exposure,  liability  and 
even  an  actual  incident,  the  discussion 
changes  from  ‘Should  we  do  this?’  to 
‘How  much  would  it  cost  to  make  this 
go  away?’  ”  Bomar  says. 

When  you  present  this  information, 
give  the  executives  an  array  of  choices 
with  different  levels  of  protection 
—  like  they’d  get  when  choosing  an  in¬ 
surance  plan,  Charette  says.  “Let  them 
understand  what’s  at  risk  and  then  let 
them  choose  how  much  they  want  to 
cover  themselves,”  he  says. 

Doug  Lewis,  a  former  CIO  and  a 
senior  partner  at  The  Edge  Consulting 
Group  LLC  in  Atlanta,  calls  this  “find¬ 
ing  the  prudent  zone.”  He  recommends 
adding  up  how  much  it  would  cost  to 
improve  security  and  then  plotting  the 
range  of  spending  options  on  a  chart. 
On  one  side  of  the  chart  is  the  “danger 


zone,”  where  security  is  insufficient, 
and  on  the  other  is  the  “ridiculous 
zone,”  where  the  company  is  over¬ 
spending.  Somewhere  in  the  middle,  he 
says,  is  the  prudent  zone,  which  will 
vary  depending  on  your  industry  and 
security  risks. 

“You  have  to  explain  that  if  you’re 
manufacturing  talcum  powder,  you’re 
probably  not  a  big  target  for  intellectu¬ 
al  property  theft,  compared  to  a  health 
care  firm  or  a  bank,”  Lewis  says.  “You 
have  to  take  a  balanced,  prudent  view 
and  not  overbill  the  case.” 

DO  Use  Business  Language 

When  you  live  and  breathe  security, 
it’s  easy  to  be  passionate  about  things 
like  the  difference  between  intrusion 
protection  and  intrusion  detection.  But 
don’t  bring  that  talk  into  a  board  meet¬ 
ing.  “You  have  to  explain  yourself  in 
human-readable  terms,”  Lewis  says. 
“What  the  CEO  wants  to  know  is,  ‘Am  I 
being  protected  at  a  prudent  level,  and  if 
not,  what  do  I  need  to  do  to  get  there?’  ” 
When  Pantas  discusses  the  impor¬ 
tance  of  avoiding  vulnerability  in  soft- 
Continued  on  page  39 
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ware  code,  for  instance,  she  doesn’t  go 
off  on  a  tangent  about  not  doing  cross¬ 
site  scripting,  she  says. 

So  instead  of  saying  things  like 
“threat  detection,”  “encryption”  and 
“data  protection,”  use  terms  like,  “ex¬ 
posure,”  “indemnity,”  “protecting  the 
brand”  and  “effect  on  market  cap,”  says 
Tom  Scholtz,  an  analyst  at  Gartner  Inc. 

For  instance,  if  your  company  just 
launched  a  branding  campaign  for  its 
product  or  service,  brand  protection 
is  a  relevant  justification  for  security 
spending.  “You  say,  ‘You  guys  spent 
$200  million  last  year  on  branding 
your  credit  card  as  the  cool  card  to  car¬ 
ry  around,  and  one  story  in  The  Wall 
Street  Journal  can  bring  that  all  tum¬ 
bling  down,’  ”  McGraw  says.  “Then,  if 
someone  says,  ‘Why  did  we  install  that 
expensive  apparatus?’  you  can  say,  ‘Be¬ 
cause  we’re  protecting  the  brand.’  ” 

And  you  had  better  be  able  to  state 
your  case  in  an  “elevator  speech”  —  a 
concise,  compelling  argument  that  can 
be  made  in  less  than  a  minute.  “What’s 
that  one  message?”  Charette  says. 
“They  don’t  care  about  the  different  lev¬ 
els  of  encryption  —  they  care  about  the 
harm  it  will  keep  the  company  from 
suffering  and  how  much  it’s  exposed  in 
the  different  scenarios.” 

DON’T  Use  ROI  Arguments 

Investing  in  security  rarely  yields  a 
return  on  investment,  so  promising 
an  ROI  will  sound  ill-informed  to  a 
senior  executive.  “You  really  have  to 
talk  about  it  from  an  insurance  per¬ 
spective,”  Pantas  says.  “It’s  more  about 
cost  avoidance  or  cost  of  compliance; 
there’s  very  little  in  what  we  do  that’s 
relative  to  gaining  ROI.” 

It’s  possible  to  discuss  other  benefits  of 
security  spending,  such  as  protecting  the 
company’s  ability  to  generate  revenue, 
keep  market  share  or  retain  its  reputa¬ 
tion.  But  ROI  relates  to  expanding  reve¬ 
nue  and  profits,  “and  security  isn’t  about 
that,”  Charette  says.  “Trying  to  sell  it  as 
if  it’s  a  revenue  generator  is  a  good  way 
to  have  the  board  say,  ‘Are  you  nuts?’  ” 

DO  Report  on  Benefits 
From  Past  Spending 

Before  asking  for  more  security  fund¬ 
ing,  make  sure  you  close  the  loop  on 
your  previous  spending  by  regularly 
updating  executives  on  the  results  of 
those  efforts.  This  means  regularly 
measuring  things  like  how  many  mali¬ 
cious  attempts  were  stopped  at  the 
firewall  or  how  quickly  incidents  were 
resolved  and  summarizing  this  data  in 
a  meaningful  way. 

Pantas  has  her  team  conduct  regular 


[Senior  executives] 
don’t  care  about  the 
different  levels  of  encryp¬ 
tion  -  they  care  about  the 
harm  it  will  keep  the  com¬ 
pany  from  suffering  and 
how  much  it’s  exposed  in 
the  different  scenarios. 


ROBERT  CHARETTE,  DIRECTOR  OF 
THE  ENTERPRISE  RISK  MANAGEMENT 
AND  GOVERNANCE  PRACTICE, 

CUTTER  CONSORTIUM 


audits  on  network  attacks,  providing  her 
not  only  with  an  idea  of  where  vulner¬ 
abilities  continue  to  exist  but  also  with  a 
record  of  improvement  over  time. 

“After  you’ve  invested  in  new  secu¬ 
rity  technology,  you  need  to  come  back 
six  months  later  and  show  what  you’ve 
achieved  and  how  it  squares  up  with 
what  you  intended  to  achieve,”  Scholtz 
says. 

You  also  need  metrics  to  show 
that  it’s  good  when  nothing  happens, 
McGraw  says.  For  instance,  following 
a  worm  outbreak,  use  network- 
activity  reporting  to  show  that  you 
had  the  proper  protective  measures  in 
place.  Otherwise,  you  can  fall  into  the 
chicken-and-egg  trap,  where  people 
begin  wondering  why  you  have  to  keep 
investing  in  security  when  nothing  bad 
ever  happens. 

McGraw  also  cautions  against  getting 
too  granular  in  your  reporting  efforts. 
“They  don’t  want  to  see  your  firewall  logs 
or  the  number  of  virus  scans  or  some¬ 
thing  geeky  that  you  have  to  explain  in 
three  paragraphs,”  he  says.  “What  they 
want  to  know  is  they  invested  $10  million 
in  this  product  line  and  it’s  not  going  to 
be  hacked  on  the  first  day.” 

Unfortunately,  the  most  reliable  way 
to  ensure  security  funding  is  through 
regulation,  “and  that’s  a  shame,” 
Rhodes-Ousley  laments.  “Businesses 
simply  won’t  do  the  right  thing,  such 
as  protecting  customer  identities  and 
private  information,  if  they’re  not 
required  to.”  The  best  thing  to  do  in 
those  instances,  Scholtz  says,  is  to 
partner  with  the  internal  compliance 
organization.  “Complying  with  regula¬ 
tions  has  very  direct  consequences  for 
information  security  and  IT,”  he  says. 
“But  it’s  really  the  business  that  needs 
to  make  the  risk-based  decision  on 
what  they’re  going  to  do.”  > 


Brandel  is  a  Computerworld 
contributing  writer.  Contact  her  at 
marybrandel@verizon.net. 
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Top  Secret 

Classification  helps  flag  and 
secure  sensitive  data,  but  it  can 
be  a  labor-intensive  exercise. 

By  Jennifer  McAdams 
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Mucking  up  the  best-laid 
security  plans  everywhere 
is  the  messy  issue  of  how 
enterprises  are  supposed 
to  cope  with  staggering 
amounts  of  unstructured  data,  some  of 
it  for  internal  eyes  only,  such  as  ad  hoc 
files  generated  by  e-mail  and  other  ap¬ 
plications.  It’s  a  huge  problem  that  only 
the  smallest  of  vendors  right  now  are 
ready  to  tackle. 

Many  technology  executives  are 
taking  note  of  the  new  breed  of  data 
classification  or  information  content 
management  (ICM)  offerings,  which 
promise  to  help  set  policies  and  access 
controls  on  sensitive  data  buried  in  un¬ 
ruly,  unstructured  data  sets.  Vendors 
are  positioning  ICM  storage  software 
as  an  alternative  to  labor-intensive  con¬ 
tent  management  or  metadata  tools. 

Holding  back  ICM  adoption  rates, 
however,  is  the  newcomer  status  of  data 
classification  vendors  and  the  level  of 
complexity  sometimes  involved  in  har¬ 
nessing  ICM  for  security  enhancement, 
according  to  several  market  analysts 
and  enterprise  IT  officials  now  explor¬ 
ing  the  data  classification  market. 

“ICM  tools  can  help  define  security- 
sensitive  data  and  prevent  it  from  be¬ 
ing  incorrectly  exposed,”  says  Mayur 
Raichura,  managing  director  of  infor¬ 
mation  services  at  Fairfax,  Va.-based 
real  estate  company  The  Long  &  Foster 
Cos.  “If  correctly  done,  ICM  tools  can 
provide  reasonable  assurances  that 
[sensitive]  data  is  not  exposed.” 

Finding  a  Balance 

Yet  in  Raichura’s  opinion,  correct  use 
of  ICM  products  can  easily  amount 
to  extra  work  for  enterprise  IT  shops. 
“How  are  you  going  to  get  expert  users 
to  identify  and  classify  terabytes’  worth 
of  data,  most  of  it  unstructured,  when 
they  have  regular  jobs  to  do?  Without  a 
doubt,  it  can  be  done  with  the  right  al¬ 
location  of  resources,”  he  says. 

For  Long  &  Foster,  the  tremendous 
amount  of  coding  and  testing  work  the 


company  conducts  offshore  is  a  rapidly 
swelling  source  of  unstructured  data. 
“This  data  has  expanded  without  any 
significant  structure  or  classification. 
While  it  is  secure  at  basic  levels,  much 
needs  to  be  done,”  Raichura  says. 

Given  the  amount  of  unstructured 
data  that  Raichura  and  others  are 
forced  to  contend  with,  further  alloca¬ 
tion  of  resources  isn’t  an  option  and  is 
precisely  why  senior  IT  officials  are 
poking  around  the  ICM  market  in  the 
first  place,  according  to  analysts  such 
as  IDC’s  Laura  DuBois. 

“In  talking  to  users,  there  are  several 
key  challenges  they  face  that  are  driv¬ 
ing  interest  in  these  products.  The  first 
is  the  sheer  growth  of  data,”  she  says. 
According  to  IDC,  enterprises  will  see  a 
staggering  52%  growth  in  data  over  the 
next  year  —  much  of  it  an  increase  in 


unstructured  data.  Besides  data  volume 
spikes,  security  concerns  —  especially 
in  the  area  of  compliance  —  are  spur¬ 
ring  interest  in  ICM,  DuBois  adds. 

“Large  firms  are  evaluating  more  au¬ 
tomated  ways  in  which  to  classify  data 
and,  in  particular,  unstructured  data.  A 
manual  method  is  just  not  viable,  given 
the  number  of  files  and  the  distributed 
nature  of  files,”  she  says. 

Manual  Labor 

While  Long  &  Foster  toils  over  the  se¬ 
curity  and  storage  of  software  coding 
data,  IT  officials  at  George  Washington 
University  (GWU)  in  Washington  are 
scratching  their  heads  over  the  best 
way  to  secure  e-mail  and  other  ad  hoc 
files.  “I  think  there  is  a  lot  more  out 
there  than  we  are  giving  credit  to.  And 
right  now,  we  are  just  not  able  to  treat 
this  unstructured  data  with  the  rigor 
we  do  official  hard  copies  of  informa¬ 
tion,”  says  Dave  Swartz,  the  universi¬ 
ty’s  vice  president  and  CIO. 

GWU  worked  hard  for  years  to  as¬ 
sign  security  levels  and  storage  proce¬ 
dures  to  its  many  structured  data  sets 
and  has  created  a  university  wide  data- 
classification  policy.  “First,  we  had  to 
get  the  basics  in  place,”  says  Swartz. 
GWU  relies  on  EMC  Corp.’s  Symmetrix 
DMX  series  of  network-attached  stor¬ 
age  products  to  categorize  and  apply 
security  policies  to  its  structured  data, 
which  includes  legal  documents,  con¬ 
tracts  and  grant-related  information. 

More  confounding  has  been  un¬ 
structured  data,  Swartz  says.  “WTe  have 
manually  designated  folders  and  set  up 
an  encrypted  archive  to  put  e-mail  and 
other  files  into  a  document  management 
system.  So  we  are  able  to  intelligently 
drag  and  drop  files  into  the  proper  fold¬ 
ers.  We  understand  what  we  are  doing, 
but  it  is  not  automatic,”  he  says. 

Swartz  says  he  is  aware  of  and  in¬ 
terested  in  the  growing  class  of  ICM 
vendors.  However,  GWU’s  adoption  of 
their  tools  is  still  a  ways  off. 

Indeed,  most  enterprises  seem  only 


Automatic  Flaggers 


A  HANDFUL  of  emerging  ICM  companies 
are  marching  out  data  classification  tools 
that  can  purportedly  automatically  crack 
open  any  unstructured  file,  seize  its  sensitive 
content,  impose  critical  security  policies  and 
dispatch  the  data  to  appropriate  storage  tiers. 

Two  of  these  newcomers  have  nailed 
partnerships  with  large  storage  vendors. 
Network  Appliance  Inc.  has  teamed  with 


Kazeon  Systems  Inc.,  which  offers  Kazeon 
IS1200,  a  product  designed  to  eliminate 
manual  classification  tasks.  Meanwhile, 
Arkivio  Inc.  has  formed  an  alliance  with  EMC. 

According  to  analysts,  other  ICM  compa¬ 
nies  to  watch  include  Abrevity  Inc.,  Trusted 
Edge  Inc.,  Njini  Inc.,  StoredlQ  Corp.  and 
Index  Engines  Inc. 

-JENNIFER  McADAMS 
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Base:  571  IT  professionals 
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to  be  inching  in  the  direction  of  ICM. 
“The  question  for  the  enterprise  is,  What 
makes  sense,  and  at  what  time?”  says 
Brad  O’Neill,  an  analyst  at  Taneja  Group 
in  Hopkinton,  Mass. 

The  decision  about  whether  or  when 
to  adopt  ICM  could  have  much  to  do 
with  how  difficult  it  is  to  improve  the 
security  of  unclassified  data  through 
the  use  of  these  new  products,  O’Neill 
says.  “Setting  security  policies  can 
range  from  very  easy  to  incredibly 
complex,  depending  on  the  number  of 
variables  and  scale  of  informational 
security  desired,”  he  says. 

Because  of  product  complexity,  a 
content  management  approach  still 
makes  sense  to  some  enterprises.  “Too 
often,  there  is  a  rush  to  try  to  apply 
structure  to  unstructured  content. 
Anecdotal  evidence  suggests  these  ef¬ 
forts  don’t  always  address  all  business 
requirements,”  says  Scott  Bentivegna, 
project  manager  for  knowledge 
management  at  Washington  Group 
International  Inc.,  a  Boise,  Idaho- 
based  engineering,  construction  and 
management  solutions  provider.  The 
firm  uses  EMC’s  Documentum  content 
management  system  for  its  unstruc¬ 
tured  data. 

The  perceived  lack  of  maturity 
among  ICM  vendors  has  much  to  do 
with  sluggish  adoption  rates,  says 
O’Neill.  “To  me,  this  is  very  much  an 
emerging  category,”  he  says,  although 
he  is  quick  to  add  that  ICM’s  appeal 
can  be  very  powerful,  especially  on  a 
security  level. 

Despite  the  newcomer  status  of  ICM 
vendors,  enterprises  scrambling  to 
secure  unstructured  data  will  want 
to  watch  these  small  players  carefully. 
Analysts  predict  that  many  ICM  prod¬ 
uct  vendors  will  soon  make  significant 
corporate  inroads.  * 

McAdams  is  a  freelance  writer  in  Vienna, 
Va.  Contact  her  at  jjwriterva@aol.com. 
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Your  employees  need  more  than  slogans.  Here  are  some  other 
ways  to  get  them  to  take  security  seriously.  By  Mary  K.  Pratt 


m 
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IT’S  THE  kind  of  breach  that  com¬ 
panies  fear:  workers  giving  out 
network  log-in  names  or  changing 
passwords  when  asked  to  by  some¬ 
one  posing  as  an  IT  staffer.  The 
best  firewalls  on  the  market  can’t 
protect  against  such  scenarios. 
“Why  even  lock  your  doors  if  em¬ 
ployees  happily  hold  them  open  for 
a  stranger  following  behind  them?” 
asks  Alex  Ryan,  security  officer  at  Veri- 
Center  Inc.,  an  IT  infrastructure  and 
managed  services  provider  in  Houston. 

The  risk  that  employees  pose  is  sig¬ 
nificant.  They  can  fall  prey  to  social 
engineering,  a  fancy  term  for  being 
conned.  They  can  ignore  company  pol¬ 
icy  by  failing  to  encrypt  sensitive  data. 
Or  they  might  install  unauthorized 
software  that  can  corrupt  the  system. 

Think  you’re  well  protected?  Recent 
findings  from  the  Computing  Tech¬ 
nology  Industry  Association  might 
convince  you  otherwise.  In  this  year’s 
CompTIA  information  security  study, 
59%  of  the  organizations  surveyed 
indicated  that  their  latest  security 
breaches  were  the  result  of  human  er¬ 
ror  alone.  That’s  up  from  47%  last  year. 

Despite  such  statistics,  many  compa¬ 
nies  fail  to  do  enough  to  educate  their 
workers.  That’s  what  the  Internal  Rev¬ 
enue  Service  discovered,  according  to  a 
March  2005  federal  government  report. 

Federal  inspectors  posing  as  IT  help 
desk  staffers  trying  to  correct  a  net¬ 
work  problem  called  100  IRS  managers 
and  employees  and  asked  them  to  pro¬ 
vide  their  network  log-in  names  and 
temporarily  change  their  passwords  to 
ones  they  suggested.  Inspectors  per¬ 
suaded  35  IRS  workers  to  do  just  that. 

This  success  came  despite  IRS  ef¬ 
forts  to  educate  employees. 

Dan  Galik,  the  IRS’s  chief  security 
officer,  says  his  agency  “re-energized 
the  awareness  program”  following  the 
report.  In  addition  to  annual  reviews, 
posted  announcements  and  online 
courses  mandated  under  the  2002  Fed¬ 
eral  Information  Security  Management 
Act,  Galik  says  the  agency  has  added 
some  innovative  approaches.  One  was 
a  Jeopardy- style  game  held  last  Novem¬ 
ber  during  which  workers  tried  to  give 
the  right  answers  on  security-related 
topics.  “You’ve  got  to  come  up  with 
something  that  will  stick,”  Galik  says. 

Here  are  some  other  practices  that 
have  proved  effective  in  getting  the 
message  across. 

Make  It  Personal 

“Many  employees  worry  about  their 
home  machines’  security.  Leverage  that 
concern  to  promote  general  security 

Continued  on  page  44 
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Continued  from  page  42 
principles  that  can  be  applied  at  both 
home  and  work,”  Ryan  says.  “It’s  a  way 
to  make  people  personally  interested  in 
security.”  She  e-mails  employees  news¬ 
letters  with  tips  that  alert  them  to  the 
latest  scams  or  viruses  that  could  affect 
both  their  work  and  personal  PCs. 

Companies  can  also  use  personal 
examples  to  show  what  they’re  trying 
to  achieve  on  a  corporate  level,  says 
IT  security  expert  Candy  Alexander,  a 
consultant  at  Alexander  Advisory  LLC 
in  Merrimack,  N.H.  For  example,  com¬ 
panies  can  tell  workers  that  protecting 
passwords  is  no  less  important  than 
protecting  their  debit  cards’  PINs. 

If  you  have  the  luxury  of  getting  peo¬ 
ple  into  a  classroom  for  training,  Ryan 
recommends  a  little  live  action  to  drive 
home  the  message.  She  has  enlisted 
students  during  classes  to  act  out  roles, 
such  as  a  hacker  and  an  administrative 
assistant.  She  instructs  the  hacker  to 
pressure  the  assistant  for  his  computer 
password  with  techniques  that  real-life 
social  engineers  use. 


Companies  also  shouldn’t  under¬ 
estimate  the  power  of  publicity,  says 
IT  security  expert  Jim  Litchko.  He 
points  to  a  situation  that  played  out  at  a 
government  intelligence  agency  where 
a  senior  official,  against  agency  policy, 
brought  in  a  disk  that  turned  out  to 
contain  a  virus.  The  agency  fired  him 
and  let  everyone  know  it. 

“To  those  people  who  value  their 
jobs,  it’s  very  effective”  in  highlighting 
the  importance  of  security,  says  Litchko, 
president  of  Litchko  &  Associates  Inc., 
an  IT  consulting  firm  in  Kensington, 
Md.,  and  past  chairman  of  the  IT  secu¬ 
rity  council  for  ASIS  International,  an 
organization  of  security  professionals. 

Employees  should  also  have  simple 
steps  to  follow  if  they  suspect  security 
problems.  Litchko  says  one  company 
had  stickers  on  its  computers  providing 
information  on  typical  scams,  along 
with  a  number  to  call  for  help. 

Integrate  Security  Awareness 

Companies  that  consider  security 
training  an  annual  event  are  missing 


Would  Your  Workers 
Pass  theTest? 


As  an  executive  at  an  IT  consulting 
company,  Bruce  Baird  assumed  that 
his  workers  were  security-sawy.  But 
a  conversation  with  a  former  col¬ 
league  rocked  his  confidence. 

Baird,  vice  president  of  operations 
at  T2  Software  Services  Inc.  in  Tam¬ 
pa,  Fla.,  learned  from  security  expert 
Todd  Snapp  that  hackers  can  set  up 
phones  to  spoof  the  Caller  ID  names 
of  legitimate  companies. 

“One  of  the  things  we  look  for 
when  we  hire  consultants  is  inter¬ 
personal  skills  -  [people  who  ask] 
‘How  can  I  help  you?’  when  talking 
to  clients.  And  if  they  think  they’re 
talking  to  the  client  and  they’re  really 
not,”  they  could  be  unintentionally 
passing  along  information  to  hackers, 
Baird  says. 

Companies  have  used  so-called 
penetration  testing  to  see  how  well 
their  technology  can  fend  off  intrud¬ 
ers.  Some  are  now  using  the  same 
techniques  to  see  how  well  their  em¬ 
ployees  can  spot  potential  problems. 
The  results,  according  to  reports, 
aren’t  encouraging. 

“We  have  found  that  a  lot  of  com¬ 
panies  spend  a  lot  of  money  and  time 
building  a  strong,  secure  infrastruc¬ 


ture,  but  they  don’t  spend  much  time 
on  securing  their  people.  They’re  not 
trained  on  what  to  look  for,  at  a  time 
when  hackers  are  getting  more  so¬ 
phisticated,”  says  Snapp,  president 
of  RocketReady,  a  Tampa  company 
that  offers  readiness  testing  in  addi¬ 
tion  to  other  services  and  products. 

RocketReady’s  employees  use 
the  same  techniques  that  malicious 
hackers  use  to  gain  information  and 
access  to  a  company’s  IT  infrastruc¬ 
ture  and  the  data  it  contains. 

They  gather  information  from 
readily  available  sources,  such  as  a 
company’s  Web  site.  They  then  pose 
as  customers,  potential  clients,  rep¬ 
resentatives  of  partner  companies, 
travel  agents  and  even  employees 
to  get  specific  details,  such  as  em¬ 
ployee  ID  numbers  and  acronyms 
used  only  by  company  workers,  that 
will  help  them  in  their  attacks. 

Baird  doesn’t  want  T2  employees 
to  fall  prey  to  scams.  Since  Rocket- 
Ready  showed  him  how  easily  it 
could  spoof  Caller  ID,  Baird  has  upped 
company-sponsored  training  on  this 
issue  and  now  requires  staffers  to 
take  annual  courses  on  the  topic. 

-  MARYK.  PRATT 


out  on  opportunities  to  make  security 
part  of  the  everyday  culture,  says  Jona¬ 
than  G.  Gossels,  president  of  System- 
Experts  Corp.,  a  Sudbury,  Mass.-based 
network  security  consulting  firm. 

Gossels  recommends  leveraging 
ongoing  training  events.  He  notes  that 
one  client,  a  large  chemical  company, 
incorporates  security  components  into 
its  regular  professional  development 
courses.  “No  one  would  take  time  out 
to  take  a  security  course,  but  to  take 
15  minutes  in  another  course  works 
well.  And  they’re  able  to  tune  the  secu¬ 
rity  message  to  the  people  taking  the 
course,”  Gossels  says. 

Also,  don’t  let  security  become  an 
“out  of  sight,  out  of  mind”  issue,  says 
Litchko.  “It  has  to  be  a  continual  thing. 
You  can’t  just  put  up  a  poster  and  keep 
it  there  a  year.  It  needs  to  be  constant 
and  varied.” 

In  addition  to  her  monthly  security 
newsletters,  VeriCenter’s  Ryan  regular¬ 
ly  e-mails  summaries  of  news  articles 
related  to  IT  security. 

Another  way  to  keep  security  on 
everyone’s  mind  is  to  use  technology 
itself  to  remind  them,  says  Joel  Rakow, 
the  e-crimes  practice  leader  at  Tatum 
LLC,  an  executive  consulting  and  ser¬ 
vices  firm  in  Atlanta.  Companies  can 
have  security-related  tips  and  remind¬ 
ers  —  like  “Our  data  is  sensitive  in¬ 
formation,”  or  “Customer  information 
is  available  on  a  need-to-know  basis” 

—  flash  up  on  screensavers. 

Like  so  much  else  in  IT,  security 
training  should  not  take  a  one-size-fits- 
all  approach,  says  Susan  Hansche,  pro¬ 
gram  manager  at  Nortel  Government 
Solutions  Inc.,  a  Fairfax,  Va.-based 
company  that  provides  information- 
assurance  training  programs  to  the 
U.S.  Department  of  State. 

Hansche  recommends  role-based 
training,  where  the  messages  and 
action  items  are  targeted  to  specific 
audiences.  Her  company,  for  example, 
uses  eight  different  role-based  pro¬ 
grams  to  train  1,000  State  Department 
employees  annually.  The  courses  for 
executives  are  different  from  those  for 
senior-level  managers  and  general  end 
users. 

Alexander  has  taken  a  similar  ap¬ 
proach  to  training.  She  says  executives 
like  war  stories,  middle  managers  pre¬ 
fer  presentations  that  give  them  check¬ 
lists  of  action  items,  and  general  end 
users  like  information  in  small,  easily 
digestible  chucks. 

When  Alexander  worked  at  the 
former  Digital  Equipment  Corp.,  she 
developed  a  scavenger  hunt  that  asked 
workers  to  find  10  items  related  to 
security  on  the  company’s  Web  site. 
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Those  who  got  all  10  were  entered  into 
a  drawing  to  win  a  mug. 

You  might  be  surprised  to  learn  that 
the  nonmandatory  event  drew  in  more 
than  70%  of  the  company’s  worldwide 
workforce.  “Positive  competition  is 
really  beneficial,”  Alexander  says. 

K  Rudolph  says  she  has  seen  similar 
success  with  competitive  programs.  , 

Rudolph  is  a  Certified  Information  Sys¬ 
tems  Security  Professional  and  chief 
inspiration  officer  at  Native  Intelli¬ 
gence  Inc.,  a  company  in  Glenelg,  Md., 
that  provides  IT  security  awareness 
services  to  government  agencies  and 
private  industry. 

She  says  one  of  her  clients  imple¬ 
mented  a  “news  hawk”  program,  where 
the  first  employee  to  bring  in  a  news 
story  on  IT  security  gets  a  prize.  Prizes 
have  ranged  from  time  off  to  movie 
tickets.  The  awareness  team  then  dis¬ 
tributes  the  news  item  through  a  week¬ 
ly  e-mail  or  its  periodic  newsletter. 

Make  It  Fun 

IT  security  is  a  serious  topic,  but  secu¬ 
rity  officials  have  found  that  some  lev¬ 
ity  helps  keep  workers’  attention. 

Alexander,  like  many  others,  has 
used  Web-based  training  to  educate 
employees  on  security  topics  and  used 
online  quizzes  to  test  their  knowledge. 
Although  the  material  covered  sig¬ 
nificant  topics,  she  still  found  ways  to 
elicit  some  smirks.  For  example,  the 
multiple-choice  answers  for  “What  is 
social  engineering?”  included  “a  col¬ 
lege  degree”  and  “a  job  on  a  cruise 
line”  —  obviously  false  answers  in¬ 
fused  with  a  hint  of  dry  wit. 

“It’s  not  extremely  silly,”  Alexander 
says,  “but  it’s  something  to  make  peo¬ 
ple  remember.”  » 

— 

Pratt  is  a  Computerworld  contributing 
writer  in  Waltham,  Mass.  Contact  her  at 
marykpratt@verizon.net. 
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Many  companies  are 
using  standards  and 
frameworks  to  deal 
with  certain  aspects  of 
information  security. 
These  models  can  help 
protect  systems  and 
data,  but  each  plays  a  very  different  role 
in  an  overall  security  plan. 

Some  of  the  most  popular  ones,  in¬ 
cluding  the  Control  Objectives  for  In¬ 
formation  and  Related  Technology  (Co¬ 
bit),  ISO  27001,  the  IT  Infrastructure 
Library  (ITIL)  and  Statement  on  Audit¬ 
ing  Standards  (SAS)  No.  70,  offer  guide¬ 
lines  for  improving  some  elements  of 
security.  But  experts  say  these  models 
are  more  like  pieces  of  a  puzzle  than 
comprehensive  security  standards. 

“All  of  these  frameworks  supply  IT 
with  repeatable  processes  that  are  con¬ 
sistent  across  the  various  IT  functions” 
and  help  technology  executives  provide 
better  service,  says  Kimberly  Saw¬ 
yer,  vice  president  of  computing  and 
network  services  at  Lockheed  Martin 
Corp.’s  IT  department,  known  as  Enter¬ 
prise  Information  Systems,  in  Orlando. 

But  none  of  the  standards  alone  pro¬ 
vides  full  security,  Sawyer  says.  “They 
contain  various  information  security 
concepts  that  must  be  interpreted,  inte¬ 
grated  and  incorporated  into  the  daily 
operations,”  she  says.  “Comprehensive 
security  requires  discipline  and  inte¬ 
gration  across  all  aspects  of  planning, 
service  delivery,  risk  management 
architecture,  tool  selection,  policy 
development  and  audits.” 

Lockheed  Martin  is  using  Cobit, 

ITIL  and  ISO  27001  for  different  pur- 
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poses:  Cobit  for  measuring  and  as¬ 
sessing  IT  controls,  ITIL  to  improve 
internal  IT  services,  and  ISO  27001  for 
IT  governance.  Although  each  helps  to 
bolster  security,  none  is  a  stand-alone 
solution,  Sawyer  says.  “IT  organiza¬ 
tions  must  integrate  the  frameworks 
to  ensure  [that]  best  practices  are  inte¬ 
grated  across  the  information  security 
discipline,”  she  says. 

Here’s  a  look  at  some  of  the  key  stan¬ 
dards  and  their  roles  in  a  security  plan. 


Cobif 

Developed  in  1996  by  the  Information 
Systems  Audit  and  Control  Association 
and  the  IT  Governance  Institute,  Cobit 
provides  a  framework  for  users  and 
IT,  security  and  auditing  managers.  It’s 
gaining  acceptance  as  a  good  practice 
for  controlling  data,  systems  and  re¬ 
lated  risks. 

“Cobit  has  enabled  us  to  more  sys- 


Like  pieces  of  a  puzzle,  frameworks 
help  companies  meet  specific 
security  goals.  By  Bob  Violino 
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tematically  approach  audit  issues  to 
identify  root  causes  of  deficiencies,” 
says  Sawyer. 

The  framework  includes  tools  to 
measure  a  company’s  capabilities  in  34 
IT  processes.  Among  them  are  a  list  of 
critical  success  factors  that  provides  best 
practices  for  each  IT  process,  maturity 
models  to  help  in  benchmarking  and 
performance-measurement  elements. 
The  standard  is  becoming  vital  as  com¬ 
panies  strive  to  comply  with  regulations 
such  as  the  Sarbanes-Oxley  Act. 

“Cobit  only  has  one  security  module, 
but  when  you  look  at  [the  standard] 
from  a  broad  perspective,  it  addresses 
a  lot  of  elements  of  security,”  says  Mike 
Nelson,  president  of  SecureNet  Tech¬ 
nologies  Inc.,  a  consulting  firm  in  San 
Ramon,  Calif.,  that  focuses  on  informa¬ 
tion  security.  “Where  it  begins  to  break 
down  is  in  providing  details  of  the 
‘how.’  It  gives  detail  of  controls  and  ob¬ 
jectives  of  controls”  but  doesn’t  explain 
how  to  implement  them,  he  says. 


ISO  27001 

ISO  27001  (Information  Security  Man¬ 
agement  —  Specification  With  Guid¬ 
ance  for  Use)  provides  more  of  the 
detail  that’s  needed,  Nelson  says.  The 
standard,  which  is  based  on  an  earlier 
standard,  ISO  17799,  is  designed  to  help 
organizations  establish  and  maintain 
effective  information  security  controls 
through  continual  improvements. 

Developed  in  October  2005  by  the 
International  Standards  Organization, 
ISO  27001  implements  principles  of  the 
Organization  for  Economic  Coopera¬ 
tion  and  Development  on  governing 
the  security  of  information  and  net¬ 
works.  The  standard  creates  a  road 
map  for  the  secure  design,  implementa¬ 
tion,  management  and  maintenance  of 
IT  processes  in  an  organization. 

“ISO  27001  is  a  laundry  list  of  controls; 
it  gives  more  of  framework  for  an  effec¬ 
tive  security  program,”  says  Paul  Proc¬ 
tor,  an  analyst  at  Gartner  Inc.  in  Stam¬ 
ford,  Conn.  “Cobit  and  ISO  27001  are  the 
most  popular  [standards]  out  there.” 


ITIL 

ITIL  is  a  set  of  best  practices,  pub¬ 
lished  as  books  designed  to  help  reduce 
the  cost  of  using  technology  and  to  im- 


Future 
Of  NIST 


ALTHOUGH  it’s  less  well  known 
than  some  of  the  standards  and 
models  in  place  at  many  businesses 
today,  an  emerging  framework  being 
used  within  the  federal  government 
could  help  organizations  improve 
their  security,  according  to  informa¬ 
tion  security  experts. 

NIST  800-53  was  created  in 
2005  by  the  National  Institute  of 
Standards  and  Technology,  as 
required  by  the  Federal  Information 
Security  Management  Act  of  2002. 

It  provides  guidelines  for  selecting 
and  specifying  security  controls  for 
information  systems  that  support 
the  executive  agencies  of  the  U.S. 
government. 

“I  believe  it  has  the  potential  to  do 
for  information  security  what  ITIL  has 
done  for  service  management,”  ac¬ 
cording  to  Mike  Nelson,  president  of 
SecureNet  Technologies. 

The  NIST  framework  “is  clearly 
shaping  up  to  be  the  state  of  the  art 
for  information  security  governance 
and  the  manifestation  of  due  dili¬ 
gence,"  he  says. 

Nelson  says  the  NIST  standard 
provides  more  comprehensive  secu¬ 
rity  guidelines  than  other  standards 
designed  to  enhance  corporate  con¬ 
trols  and  IT  service  levels.  It’s  more 
granular  than  the  other  standards 
in  areas  such  as  security  certifica¬ 
tion  and  accreditation  processes, 
he  says. 

Although  NIST  800-53  applies 
only  to  federal  civilian  agencies 
today,  Nelson  says  it’s  designed  to 
be  generic  enough  to  apply  to  the 
private  sector. 

As  the  standard  is  adopted,  he 
predicts,  “we  will  start  to  see  the 
federal  sector  lead  the  way  in  terms 
of  security  governance." 

-BOB  VIOLINO 
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prove  the  quality  of  services  delivered 
throughout  the  organization.  ITIL  con¬ 
sists  of  rules  on  how  to  deliver  services 
more  efficiently  by  improving  manage¬ 
ment  processes  across  IT  departments 
that  support  networks,  applications 
and  databases. 

In  the  late  1980s,  the  U.K.  Office  of 
Government  Commerce  developed 
the  standards  for  service  providers  to 
follow  in  delivering  IT  services  to  the 
British  government.  ITIL  covers  seven 
main  areas:  service  support,  service 
delivery,  planning  to  implement  ser¬ 
vice  management,  infrastructure  man¬ 
agement  for  IT  and  communications 
technology,  applications  management, 
security  management,  and  the  business 
perspective. 

“ITIL  is  strong  in  process  manage¬ 
ment  and  delivery  but  fairly  narrowly 
focused  on  those  areas,”  says  Nelson. 
“It  only  peripherally  deals  with  secu¬ 
rity  as  a  component  in  service  manage¬ 
ment.  From  a  pure  security  point  of 
view,  it’s  relatively  weak,  but  it  was  not 


designed  to  address  that.” 

Adds  Proctor,  “Cobit  is  better  for 
meeting  regulatory  [requirements]. 
ITIL  is  more  of  an  operations  standard, 
something  you  use  to  improve  the  ma¬ 
turity  of  your  IT  operations.  We  find  a 
lot  of  companies  either  choose  ITIL  or 
Cobit.  Some  do  both,  but  that  is  rare.” 

Ruben  Melendez  says  ITIL  is  becom¬ 
ing  the  standard  of  choice  for  many 
vendors  and  is  useful  for  improving  se¬ 
curity.  He  is  president  of  The  Glomark 
Group  Inc.,  a  consulting  firm  in  Colum¬ 
bus,  Ohio,  that  works  with  IT  vendors 
and  end-user  organizations  to  develop 
return-on-investment  strategies. 

“The  companies  I’ve  worked  with 
are  all  ITIL  implementers,”  Melendez 
says.  “We’ve  done  a  lot  of  work  with 
[CA]  on  security-related  products.  If 
you  look  at  their  literature,  when  they 
talk  about  security,  they  emphasize 
ITIL  and  not  the  others.” 

According  to  Melendez,  other  ven¬ 
dors  pushing  ITIL  include  Microsoft 
Corp.,  Intel  Corp.  and  Oracle  Corp. 


SAS70 

SAS  70  is  an  auditing  standard  that  was 
created  by  the  American  Institute  of 
Certified  Public  Accountants  (AICPA) 
in  1992.  A  SAS  70  audit  shows  whether 
an  independent  accounting  and  au¬ 
diting  firm  has  examined  a  service 
provider’s  controls  for  IT  and  related 
processes. 

SAS  70  isn’t  a  predetermined  set  of 
control  objectives  or  activities.  Auditors 
must  follow  the  AICPA’s  standards  for 
fieldwork,  quality  control  and  reporting 
and  issue  a  formal  report  to  the  service 
provider  that  includes  the  auditor’s 
opinion  once  the  audit  is  completed. 

There  are  two  types  of  reports:  one 
describes  a  service  provider’s  controls 
at  a  specific  point  in  time,  and  the  oth¬ 
er  describes  the  controls  and  includes 
detailed  testing  of  the  service  provid¬ 
er’s  control  activities  and  processes 
over  a  minimum  six-month  period. 

Service  providers  must  demonstrate 
that  they  have  adequate  safeguards 
when  they  host  or  process  client  infor¬ 


mation.  SAS  70  enables  service  orga¬ 
nizations  to  disclose  their  controls  to 
their  clients  and  their  clients’  auditors 
in  a  uniform  reporting  format. 

The  benefit  to  companies  is  that  they 
receive  detailed  information  about  a 
service  provider’s  controls  and  an  in¬ 
dependent  assessment  of  whether  the 
controls  are  operating  effectively.  They 
can  present  this  information  to  their 
own  auditors  when  necessary. 

SAS  70  lets  organizations  know  if 
their  existing  controls  are  working,  but 
it  doesn’t  tell  them  if  all  the  right  con¬ 
trols  are  in  place,  Nelson  says. 

Each  of  these  standards  has  a  poten¬ 
tial  role  to  play  in  helping  organizations 
protect  their  systems  and  data.  Compa¬ 
nies  that  are  looking  to  create  an  overall 
security  strategy  need  to  explore  the 
frameworks  to  see  which  provides  the 
best  fit. » 


Violino  is  a  freelance  writer  in 
Massapequa  Park,  N.Y.  Contact  him 
at  bviolino@optonline.net. 
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The  chief  risk 
officer  takes  a 
bird’s-eye  view  of 
all  enterprise  risk. 

By  John  S.  Webster 


Risk  is  a  fact  of  life  these  days. 

Financial  services  organiza¬ 
tions  have  always  grappled 
with  credit-  and  market- 
related  risk  as  an  integral 
part  of  doing  business.  But  to¬ 
day,  the  far-reaching  threat  of  operation¬ 
al  risks  arising  from  potential 
breakdowns  in  internal  con¬ 
trols  and  corporate  governance 
—  breakdowns  that  could  compromise 
business  —  span  vertical  industries  and 
business  functions,  including  IT. 

With  risk  playing  a  role  in  many 
IT-related  endeavors,  such  as  data  and 
physical  security  efforts  and  privacy 
and  regulatory  compliance  initiatives, 
who  keeps  track? 

Enter  the  chief  risk  officer,  who  acts  as 
an  organization’s  linchpin  for  enterprise 
risk  management  (ERM),  including  IT 
and  data  security.  CROs  are  fast  becom¬ 
ing  familiar  faces  among  C-level  execu¬ 
tives  at  large  organizations.  According 


to  Forrester  Research  Inc.  in  Cambridge, 
Mass.,  the  executive  ranks  of  any  com¬ 
pany  that  has  revenue  of  at  least  $1  bil¬ 
lion  and  can  be  classified  as  “critical 
infrastructure”  —  such  as  financial  in¬ 
stitutions,  energy  companies  and  health 
care  providers  —  are  likely  to  include 
a  CRO.  By  next  year,  three 
quarters  of  large,  critical  infra¬ 
structure  organizations  will 
have  a  formal  ERM  office  with  a  CRO  or 
equivalent  role,  according  to  Forrester. 

After  its  early  emphasis  in  financial 
services,  ERM  has  played  an  increas¬ 
ingly  crucial  part  in  business  planning 
across  industries  during  the  past  sever¬ 
al  years.  Its  widespread  acceptance  was 
spurred  in  part  by  regulations  such  as 
the  Sarbanes-Oxley  Act  for  accounting 
oversight  and  Basel  II  for  measurement 
of  international  banking  capital.  As 
different  types  of  operational  risk  also 
get  included  under  the  ERM  umbrella, 
the  CRO’s  job  is  to  eliminate  the  “frag¬ 


mented”  approach  to  managing  risk, 
according  to  Forrester. 

With  government  regulations  and 
the  rise  of  corporate  governance  poli¬ 
cies  addressing  enterprisewide  risk, 
Forrester  and  other  analyst  firms  have 
hammered  on  the  importance  of  hav¬ 
ing  a  single  point  person  in  place  to 
oversee  its  management. 

“With  the  fragmented,  siloed  ap¬ 
proach  to  risk  management,  there  is 
no  one  watching  risk  across  the  orga¬ 
nization,”  Forrester  analyst  Michael 
Rasmussen  wrote  in  a  December  2004 
report  on  ERM  trends.  “In  today’s  com¬ 
plex  business  world,  one  weak  spot  can 
impact  the  entire  business.  Without  a 
framework  to  work  within,  and  some¬ 
one  in  charge  of  risk  management,  or¬ 
ganizations  are  running  in  the  dark.” 

An  Expanding  Role 

One  key  to  success  for  CROs  is  the  abil¬ 
ity  to  see  the  range  of  risk  variations 
that  can  crop  up  across  the  enterprise. 
At  The  PMI  Group  Inc.,  a  mortgage 
insurance  company  in  Walnut  Creek, 
Calif.,  the  CRO  position  was  created  in 
2003  to  monitor  international  credit- 
risk  operations.  But  the  position’s  de¬ 
scription  has  since  been  expanded  to 
encompass  risk  throughout  the  compa¬ 
ny,  including  strategic,  operational,  ex¬ 
ternal,  financial,  IT  and  security  (both 
data  and  physical)  operations. 

“Without  an  enterprise  view,  things 
can  be  missed  because  you  can’t  connect 
the  risks,”  says  Joanne  Berkowitz,  chief 
enterprise  risk  officer  at  PMI  Group. 

“If  you’re  just  looking  at  your  own  little 
world  and  don’t  have  an  idea  of  how 
what  you’re  doing  will  affect  what  some¬ 
one  else  is  doing,  you  could  [inadver¬ 
tently]  create  risk  for  the  company.” 

In  IT,  Berkowitz  says,  disaster  recov¬ 
ery  illustrates  this  concept. 

“We  have  very  detailed  business- 
resumption  plans  and  capabilities.  To 
create  these,  people  in  the  business 
units  worked  closely  with  me  and 
with  our  CIO  to  identify  which  sys¬ 
tems  they  depend  on  and  to  prioritize 
their  recovery  times,”  she  says.  “This 
is  particularly  important  because  an 
increasing  proportion  of  our  business 
is  automated;  90%  of  our  business  now 
comes  through  systems.” 

James  Lam,  president  of  James  Lam 
&  Associates  Inc.,  an  enterprise  risk 
consulting  firm  in  Wellesley,  Mass., 
agrees  that  the  ability  to  see  the  big 
picture  is  key  for  the  CRO. 

“The  key  to  success  is  having  a  strong 
background  in  the  most  critical  risks  to 
the  company.  You  also  have  to  look  be¬ 
yond  your  specific  silos,  across  the  enter¬ 
prise,  and  have  a  comprehensive  point  of 
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view,”  he  says.  “Organizations  are  realiz¬ 
ing  that  a  risk  manager  can  help  achieve 
a  company’s  business  objectives  while 
he  or  she  defends  it  from  threats.” 

An  effective  CRO  has  a  range  of  skills 
that  vary  depending  on  the  business  fo¬ 
cus,  says  Berkowitz.  “There  isn’t  just  one 
set  of  skills  that  will  work  for  a  CRO,  and 
they’ll  vary  at  each  company,”  she  says. 

The  position  requires  the  ability  to 
take  a  holistic  view  of  the  risks  that 
might  affect  operations  anywhere  in 
the  company.  To  that  end,  the  CRO 
must  work  with  other  C-level  execu¬ 
tives,  as  well  as  with  business  unit 
managers,  says  Berkowitz. 

“We’re  attempting  to  be  proactive 
and  to  adopt  good  governance.  Here, 
everyone  would  agree  that  the  CRO  is 
the  person  who’s  leading  that  effort,” 
she  adds. 

With  a  CRO  who  takes  a  comprehen¬ 
sive  view  of  risk  across  an  organiza¬ 
tion,  ERM  can  become  a  key  piece  of 
an  overall  business  plan.  > 


Webster  is  a  freelance  writer  in 
Providence,  R.I.  Contact  him  at 
john.s.webster@verizon.net. 
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Computer 

Forensics 


DEFINITION 

Computer  forensics  is  the  applica¬ 
tion  of  specialized  investigative 
and  analytic  techniques  to  iden¬ 
tify,  collect,  examine  and  preserve 
data  from  computer  systems  or 
networks  so  that  it  may  serve  as 
evidence  in  a  court  of  law.  More 
narrowly,  the  term  applies  to  the 
process  of  finding  digital  evidence 
after  a  computer  security  incident 
has  occurred. 


COMPUTER  FORENSICS  is 

one  aspect  of  a  broader  concept 
called  electronic  discovery,  which 
refers  to  any  process  in  which 
data  from  a  particular  computer 
or  network  is  sought,  located, 
secured  and  searched  with  the 
intent  of  using  it  as  evidence 
in  a  civil  or  criminal  legal  case. 
Hacking  that  may  be  ordered  by  a 
court  or  sanctioned  by  a  govern¬ 
ment  agency  to  obtain  evidence 
can  also  be  considered  a  form  of 
electronic  discovery. 

In  general,  discovery  refers  to 
the  overall  process,  whereas  com¬ 


puter  forensics  is  concerned  with 
specific  procedures  and  technical 
interpretation  of  discovered  data. 

An  important  factor  in  electron¬ 
ic  discovery  is  the  completeness 
of  information  and  the  extent  to 
which  the  organization  may  be 
required  (by  law  or  regulation)  to 
maintain  copies.  When  a  party 
is  required  to  supply  documents 
and  correspondence  about  a 
particular  event  or  transaction,  it 
is  expected  to  provide  all  such 
documents  without  filtering  or 
editing. 

-RUSSELL  KAY 


BY  RUSSELL  KAY 

HE  TELEVISION  series 
CSI  has  given  mil¬ 
lions  of  viewers  an 
appreciation  of  the 
role  and  importance 
of  physical  evidence  in  con¬ 
ducting  criminal  inves¬ 
tigations.  Each  week, 
we  see  the  confluence 
of  fingerprints,  DNA 
tests,  autopsies,  micro¬ 
scopic  examinations 
and  ballistic  evidence  used  to 
solve  a  murder  or  explain  the 
circumstances  surrounding 
an  unusual  death.  The  drama 
lies  less  in  the  events  that  are 
portrayed  than  in  the  thinking 
that  lies  behind  the  collection, 
preservation  and  interpreta¬ 
tion  of  the  evidence  needed 
to  solve  the  case  and  support 
prosecution. 

IT  managers  aren’t  likely  to 
confront  dead  bodies  on  the 
job,  but  a  rudimentary  knowl¬ 
edge  of  evidence,  as  it  relates 
to  computer  data,  can  help 
protect  your  organization’s  op¬ 
erations,  data  and  processes. 

In  today’s  computer-driven 
world,  where  networked 
e-mail  and  instant  messaging 


are  the  communication  norms, 
knowing  how  to  collect,  han¬ 
dle  and  analyze  information 
on  a  miscreant’s  computers 
can  be  critical  to  a  successful 
civil  or  criminal  prosecution. 

There  are  two  categories 
of  computer  crime: 
criminal  activity 
that  involves  using  a 
computer  to  commit 
a  crime,  and  criminal 
activity  that  has  a 
computer  as  a  target,  such  as  a 
network  intrusion  or  a  denial- 
of-service  attack. 

The  same  means  of  gather¬ 
ing  evidence  are  used  to  solve 
both  types  of  crimes.  And  the 
same  kinds  of  skills  used  by 
the  lawbreakers  are  needed  to 
track  them  down. 

It  Takes  an  Expert 

Computer  forensics  is  not  a 
task  to  be  undertaken  lightly 
by  just  any  IT  worker.  Instead, 
it  calls  for  specialized  skills 
and  careful,  documented  pro¬ 
cedures.  A  forensics  expert 
knows  what  signs  to  look  for 
and  can  identify  additional 
information  sources  for  rel¬ 
evant  evidence,  including  ear¬ 


lier  versions  of  data  files 
or  differently  formatted  ver¬ 
sions  of  data  used  by  other 
applications. 

Computer  data  is  fundamen¬ 
tally  different  in  some  respects 
from  other  types  of  informa¬ 
tion,  and  this  affects  how  we 
have  to  handle  it  as  evidence. 
Unlike  a  traditional  paper 
trail,  computer  evidence  fre¬ 
quently  exists  in  many  forms, 
and  often  different  versions 
of  documents  are  accessible 
on  a  computer  disk  or  backup 
tapes. 

Data  stored  on  a  computer 
or  network  is  difficult  to  de¬ 
stroy  completely,  because 
the  data  is  likely  to  coexist 
on  multiple  hard  drives,  and 
deleted  files  and  even  refor¬ 
matted  disks  can  often  be  fully 
recovered. 

In  addition,  computer  data 
can  be  replicated  exactly  for 
special  analysis  and  process¬ 
ing  without  destroying  the 
originals. 

Any  type  of  data  can  serve 
as  evidence,  including  text 
documents,  graphical  im¬ 
ages,  calendar  files,  databases, 
spreadsheets,  audio  and  video 
files,  Web  sites  and  application 
programs. 

Even  viruses,  Trojan  horses 
and  spyware  can  be  secured 
and  investigated.  E-mail  rec¬ 
ords  and  instant  messaging 
logs  can  be  valuable  sources  of 
evidence  in  litigation,  because 
people  are  often  more  casual 
when  using  electronic  commu¬ 
nications  than  they  are  when 
they  use  hard-copy  correspon¬ 
dence  such  as  written  memos 
and  snail-mail  letters. 

And  finally,  digital  data  can 
be  searched  quickly  and  easily 
by  machine,  whereas  paper 
documents  must  be  examined 
manually. 

Like  other  information  used 
in  a  case,  however,  the  result 
of  a  computer  forensics  inves¬ 
tigation  must  follow  the  ac¬ 
cepted  standards  of  evidence 
as  codified  in  state  and  federal 
law. 

In  particular,  an  investigator 
must  take  special  care  to  pro¬ 
tect  evidence  and  to  preserve 
its  original  state.  It’s  especially 
important  to  prevent  suspect 
files  from  being  altered  or 
damaged  through  improper 


handling,  viruses,  electromag¬ 
netic  or  mechanical  damage, 
and  even  booby  traps.  To  ac¬ 
complish  this,  it’s  necessary  to 
do  the  following: 

■  Handle  the  original  evi¬ 
dence  as  little  as  possible. 

■  Establish  and  maintain  the 
chain  of  custody. 

■  Document  everything 
that’s  done. 

■  Never  go  beyond  what 
is  known  and  can  be  proved 
from  direct,  personal  knowl¬ 
edge. 

Failure  to  protect  evidence 
might  mean  that  original  data 
is  irretrievably  lost  or  changed 
and  that  results  and  conclu¬ 
sions  may  not  hold  up  or  be 
admissible  in  a  court  of  law. 

How  It  Works 

While  the  circumstances  of 
each  case  will  differ,  some 
elements  are  common  to  most 
computer  forensic  investiga¬ 
tions.  Here  are  some  actions 
you  should  take: 

■  Secure  the  computer  sys¬ 
tem  to  prevent  it  from  being 
altered  or  tampered  with  by 
the  investigators,  third  par¬ 
ties  or  automated  processes 
such  as  viruses  or  other  types 
of  malware.  Unless  you  can’t 
avoid  it,  never  analyze  data 
using  the  machine  it  was  col¬ 
lected  from. 

■  Make  exact,  forensically 
sound  copies  of  data  storage 
devices,  including  all  hard 
drives.  Do  not  change  date/ 
time  stamps  or  alter  data  itself. 
Do  not  overwrite  unallocated 


space,  which  may  happen 
when  rebooting.  Specialized 
equipment  is  available  to 
speed  and  facilitate  the  foren¬ 
sic  copying  of  hard  drives. 

■  Identify  and  discover 

all  files  on  the  system,  includ¬ 
ing  normal  files,  deleted-yet- 
remaining  files,  hidden  files, 
password-protected  files  and 
encrypted  files. 

■  Recover  deleted  files  as 
much  as  possible.  Pay  special 
attention  to  specific  areas  of 
the  hard  drive,  including  boot 
sectors,  page  files  and  tempo¬ 
rary  or  swap  files  used  by  ap¬ 
plication  programs  and  by  the 
operating  system. 

Look  at  unallocated  space 
(i.e.,  marked  as  currently 
unused),  as  well  as  the  unoc¬ 
cupied  space  at  the  end  of  a  file 
in  the  last  assigned  disk  clus¬ 
ter  after  the  end-of-file  marker. 
Either  area,  though  not  con¬ 
sidered  a  part  of  an  active  file, 
might  hold  relevant  data  from 
a  different  file  or  version  of  a 
document. 

*  Maintain  a  full  audit  log  of 
your  activities  throughout  the 
investigation,  and  produce  a 
detailed  report  at  the  end. » 


Kay  is  a  Computerworld  con¬ 
tributing  writer  in  Worcester, 
Mass.  You  can  contact  him  at 
russkay@charter.net. 
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Flash  drives,  iPods, 
camera  phones  — 
you  know  what  your 
employees  carry  in. 
But  do  you  know 
what  they  carry  out? 
By  Steve  Alexander 


But  there  can  be  huge  consequences 
for  IT  departments  that  neglect  the 
problem,  Gold  says.  “Think  about 
compliance  issues  if  an  insurance  com¬ 
pany  employee  downloads  a  couple 
of  thousand  customer  records  onto  a 
flash  drive  and  then  loses  the  device,” 
he  says.  “And  often,  the  company  won’t 
even  know  the  employee  has  done  it.” 
The  result  can  be  lawsuits  and,  if  fed¬ 
eral  medical  or  financial  privacy  rules 
have  been  violated,  multimillion-dollar 
fines,  according  to  Gold. 

“The  payback  for  doing  a  good  job 
with  security  for  these  personal  de¬ 
vices  is  preventing  a  $10  million  to 
$30  million  company  liability,”  Gold 
says. 

Data  Guardians 

While  relatively  few  companies  are 
addressing  the  issue,  some  have  tried 
solutions  ranging  from  total  network 
lockdowns  to  requiring  the  use  of  en¬ 
crypted  flash  drives  to  ensure  that  data 
will  at  least  be  safeguarded  if  it  is  lost. 

At  the  less  restrictive  end  of  the 
spectrum  is  Children’s  Home  Society 
of  Florida  (CHS),  an  adoption  and  fam¬ 
ily  counseling  agency  in  Winter  Park. 

“We  deal  with  private  medical  infor¬ 
mation,  and  so  it’s  been  a  long-standing 
problem,”  said  CIO  John  Valleau.  “Our 
employees  have  floppy  disks,  flash 
drives  and  iPods  to  which  information 
can  be  transferred.” 

Although  CHS  has  a  “thou  shalt  not 
copy”  policy  regarding  the  download¬ 
ing  of  sensitive  information  to  portable 
memory  devices,  Valleau  says  he  isn’t 
about  to  ban  them,  because  “some 
people  might  need  to  carry  protected 
medical  records  from  one  location  of 
ours  to  another.” 

As  a  result,  Valleau  is  looking  at 
requiring  employees  to  use  only  new, 


encrypted  flash  drives  at  the  1,000 
computer  workstations  at  the  firm’s  210 
offices  around  Florida. 

Hospitals,  which  must  closely  guard 
patient  information  under  the  Health 
Insurance  Portability  and  Account¬ 
ability  Act,  are  particularly  concerned 
about  flash  drives. 

“While  personal  storage  devices 
haven’t  been  a  big  problem  for  us,  we 
need  to  be  able  to  prove  that  we  are 
protecting  patient  information,”  says 
Mark  McGill,  a  network  engineer  who 
administers  security  for  900  worksta¬ 
tions  and  1,200  users  at  Ellis  Hospital 
in  Schenectady,  N.Y. 

“Many  people  have  access  to  pa¬ 
tients’  Social  Security  numbers,  per¬ 
sonal  information  and  diagnoses.  So 
we  toyed  with  banning  flash  drives  and 
camera  phones  —  a  double  threat  when 
the  camera  phones  contain  memory 
cards  that  can  hold  data  —  but  some 
people  have  a  valid  use  for  them,”  he 
explains.  “And  when  we  started  to  lock 
things  down,  the  users  screamed.  One 
doctor  said  he  couldn’t  give  his  Power¬ 
Point  presentation  at  another  hospital.” 

McGill’s  solution  was  to  install  Sanc¬ 
tuary,  a  network  monitoring  product 
from  SecureWave  SA  in  Luxembourg 
that  can  restrict  the  use  of  personal 
storage  devices  based  on  a  user’s 
identity,  individual  PC  workstations 
or  the  type  of  personal  data  device  be¬ 
ing  connected  to  the  network.  Excep¬ 
tions  can  be  made  for  reasonable  data- 
access  requests,  he  says.  However,  the 
software  can’t  protect  against  the  use 
of  a  camera  phone  not  connected  to 
the  network,  so  the  hospital  relies  on 
a  policy  limiting  where  photos  can  be 
taken. 

Network  Lockdown 

A  more  extreme  approach  was  taken 
by  Fabi  Gower,  vice  president  of  in¬ 
formation  systems  at  Martin,  Fletcher 
&  Associates  LP.  The  national  health 
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care  staffing  firm  in  Irving,  Texas,  has 
databases  containing  proprietary  in¬ 
formation  about  job  candidates.  Gower 
uses  network-control  software  to  limit 
both  the  type  of  content  users  can  view 
and  the  time  of  day  they  can  see  it.  Her 
company  totally  prohibits  employees 
other  than  managers  from  copying 
data  by  limiting  the  network’s  ability 
to  write  to  portable  storage  devices. 

“I’m  a  strong  proponent  of  having 
control  over  the  security  of  the  busi¬ 
ness,  whether  you’ve  got  two  employ¬ 
ees  or  2,000,”  Gower  says.  “The  way 
we’ve  got  the  network  set  up,  employ¬ 
ees  can’t  plug  PDAs,  smart  phones, 
flash  drives  or  USB  hard  drives  into  the 
network.  So  I  couldn’t  care  less  what 
they  carry  in,  because  I  know  our  data 
is  not  leaving  the  building.” 

But  some  company’s  data  will  get 
out,  Gold  predicts.  “I  have  no  doubt 
that,  with  all  these  portable  memory 
devices  in  the  workplace,  there  will  be 
a  federal  privacy  compliance  breach  in 
the  next  year.  And  it  could  be  a  huge 
liability.” » 


Alexander  is  a  freelance  writer  in  Edina, 
Minn.  Contact  him  at  s_j_alexander@ 
rocketmail.com. 


How  to  Stop  the  Leaks 


FIRST  LINE  OF  DEFENSE:  Establish  a 
portable-device  policy  and  educate  users 
about  it.  Few  companies  ban  the  devices 
outright;  15%  to  20%  have  usage  polices. 

SECOND  UNE  OF  DEFENSE:  Imple¬ 
ment  network  safeguards.  Network 
management  tools,  used  by  less  than  5% 
of  corporations,  can  restrict  network  ac¬ 
cess  by  individual,  workstation  or  type  of 
device.  Shutting  down  all  USB  ports  isn’t 


practical  because  too  many  legitimate 
devices  use  them.  Another  alternative  is 
to  issue  employees  encrypted  flash  drives 
to  protect  the  data  in  case  the  tiny  devices 
get  lost. 

THIRD  LINE  OF  DEFENSE:  Dismiss 
employees  caught  violating  the  portable- 
device  rules.  This  can  help  you  avoid 
potentially  huge  corporate  liabilities  for 
compromises  of  confidential  data. 


ROLIFERATING  FLASH 
drives  and  other  personal 
memory  devices  are  caus¬ 
ing  corporate  IT  managers 
to  rethink  data  security 
policies  and  enforcement. 
But  the  balance  between  corporate  se¬ 
curity  and  user  convenience  has  never 
been  more  difficult  to  achieve,  because 
ubiquitous  thumb-size  drives  can  hold 
gigabytes  of  corporate  information. 

“In  many  cases,  it’s  an  unrecognized 
security  problem,”  says  Jack  Gold, 
founder  of  J.  Gold  Associates,  an  IT 
consulting  firm  in  Northboro,  Mass. 
“And  it’s  not  just  flash  drives.  A  lot  of 
users  have  discovered  that  iPods  make 
convenient  backup  devices.” 
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Snapshots 


Who’s  in  Charge? 

A  ranking  of  the  departments  involved  in 
setting  IT  security  spending  priorities: 


1 

IT  only 

2 

Finance  and  IT 

3 

Top  executives  (CEO,  COO) 

El  IT  steering  committee 

5 

All  departments,  to  some  degree 

6 

Managers  of  business  units 

H  Risk  management  committee 

8 

Finance  only 

Caught  on  Tape 

If  your  company  uses  tape  storage,  in  the  past  year 
have  tapes  been  lost,  stolen  or  misplaced? 


Not  sure:  7% 


Yes:  6% 


We  don’t 
use  tape  to 
store  data: 
7% 


Prefer  not  to 
answer:  2% 


Security  Arsenal 

Top  security  products  or  services 
currently  being  used: 

(  Desktop  antivirus  software 
I  Antivirus  software 
|  Enterprise  firewalls  (appliances) 
I  Antispyware  software 
|  IPsec  virtual  private  networks 
JURL  blocking  and  filtering 
|  Network  intrusion  detection 
[  Enterprise  firewalls  (software) 

|  Desktop  firewalls 
j  Network  intrusion  prevention 
|  E-mail  encryption  software 

Desktop/Saptop/handheM 
|  file-encryption  software 

Base:  571  IT  professionals 

SOURCE:  EXCLUSIVE  COMPUTERWORLD  SURVEY. 

MARCH  2006 


MARK  HALL 

No  Silver  Bullet 


FIRST,  THE  BAD  NEWS.  THEN,  THE  WORSE  NEWS.  We  are  years  away 
from  having  a  single  security  architecture  to  protect  company  in¬ 
formation.  That’s  because  every  area  in  IT  has  different  technical 
hurdles  to  cross  before  security  can  be  assured.  And  in  each  seg¬ 
ment  today,  we  are  a  long  way  from  satisfactory  protection. 


Evalubase  Research  Inc.  released  a  survey  in  Febru¬ 
ary  that  covered  five  technology  areas:  data  manage¬ 
ment,  hardware  and  operating  systems,  communica¬ 
tions  and  networking,  application  development,  and 
industry  applications.  The  research  firm  asked  IT  pro¬ 
fessionals  to  rank  those  technologies  for  performance, 
usability,  functionality,  compatibility,  maintainability 
and  security.  You  won’t  be  shocked  to  learn  that  secu¬ 
rity  ranked  at  the  bottom  for  all  except  hardware  and 
operating  systems,  and  communications  and  network¬ 
ing,  where  it  was  ranked  next  to  last. 

Nick  Caffarra,  president  of  Evalubase,  tells  me  that 
maybe,  maybe,  in  five  or  more  years  there  could  be  an 
integrated  cross-technology  security  approach  from 
one  vendor  capable  of  protecting  your  information. 

But  he  doesn’t  sound  optimistic. 

Little  wonder  that  he  isn’t  bullish  on  a 
single  security  approach,  because  here’s 
the  worse  news.  It  comes  from  Seth  Hal- 
lem,  CEO  of  Coverity  Inc.  His  company 
scans  source  code  for  defects,  most  of 
which  lead  to  security  holes.  (The  Depart¬ 
ment  of  Homeland  Security  and  Stanford 
University  chose  Coverity  to  analyze  open- 
source  tools  for  defects.)  Hallem  points 
to  research  that  proves  it’s  mathemati¬ 
cally  impossible  to  eliminate  defects  from 
source  code.  Mathematically  impossible. 

So,  that’s  the  news.  Your  company’s  in¬ 
formation  isn’t  secure  today,  and  it  won’t 
ever  be. 

It’s  All  Relative 

Of  course,  security  is  relative.  Last  month,  the  folks  at 
Coverity  released  some  data  for  defect  scans  on  31  open- 
source  projects.  The  average  defect  rate  for  1,000  lines 
of  source  code  was  0.42.  Not  bad.  A  programmer  would, 
on  average,  crank  out  2,200  lines  of  code  for  each  flub. 
But  if  that  rate  were  constant  against,  say,  the  30  million 
lines  of  Red  Hat  Linux  7.1,  you’d  have  12,600  lines  with 
problems.  If  it  held  steady  against  the  213  million  lines  of 
source  in  Debian  3.1,  you’d  find  89,460  potential  defects. 

This  isn’t  to  say  that  Debian  is  less  secure  as  a  serv¬ 
er  operating  system  than  Red  Hat.  Or  vice  versa.  But 
it  does  point  to  the  kind  of  information  you  can  use  to 
lower  the  risk  your  information  faces.  That  is,  you  can 
use  tools  to  quantify  your  risk  and  then  decide  when, 
where  and  whether  to  use  a  technology. 


Common  Sense 

You  can  also  use  common-sense  strategies  to  pro¬ 
tect  your  company’s  information.  Would  your  data 
be  inherently  more  secure  if  more  end  users  had 
Macintoshes?  Despite  news  in  February  that  the  first 
(benign)  virus  for  the  Mac  was  discovered,  the  an¬ 
swer  would  have  to  be  yes.  That’s  because  viruses  and 
worms  written  for  one  system  wouldn’t  be  propagated 
by  the  other.  In  other  words,  a  mix  of  operating  sys¬ 
tems  is  a  good  defensive  strategy. 

Do  all  end  users  really  need  fat  clients  —  Windows 
or  Macs?  Would  some  be  able  to  get  their  work  done 
more  securely  on  thin  clients?  Of  course. 

A  mix  of  thin  clients,  Macs  and  Windows,  as  well 
as  different  server  systems,  is  an  ideal  defense  against 
many  of  today’s  vulnerabilities.  A  side  benefit  is  chal¬ 
lenging  the  skills  of  hackers  who  will  try 
to  penetrate  your  defenses  with  primarily 
Windows-specific  knowledge. 

Some  single-platform  advocates  argue 
that  the  IT  costs  of  running  multiple  op¬ 
erating  systems  make  it  problematic  to 
run  a  mixed  environment.  Maybe  so.  But 
these  people  have  a  short-term  view  of 
cost.  The  costs  of  a  security  breach  are 
far  greater.  The  University  of  Maryland 
estimates  that  when  a  public  company 
suffers  a  single  security  breach,  its  market 
capitalization  drops  5%.  Would  you  want 
to  tell  the  board  of  directors  not  to  worry 
because  the  company  saved  some  of  that 
shareholder  value  in  IT  support  costs  through  your 
single-platform  strategy? 

Business  =  Risk 

Every  business  faces  risk  the  moment  it  opens  its 
doors.  IT’s  job  is  to  keep  the  risk  to  information  at  a 
minimum.  Hoping  for  one  solution  —  the  security  sil¬ 
ver  bullet  —  isn’t  realistic.  The  one-way  approach  has 
proved  to  be  a  security  liability  when  implemented  as 
a  uniform  platform  strategy. 

Given  how  valuable  information  is  to  a  company, 
Evalubase’s  Caffarra  says  it  might  be  time  to  put  cor¬ 
porate  data  on  a  company  ’s  balance  sheet  as  an  asset. 

If  that  happened,  maybe  the  board  would  insist  that 
the  very  best  tools  and  methodologies  be  applied  to 
decrease  the  risk  to  that  information.  And  that  the  very 
best  strategy  isn’t  to  put  all  your  eggs  in  one  basket. » 
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Ter  a  by|b  I  n  dexer 


Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a  single 
index  and  returns  results  in  less  than  a  second”  —  InfoWorld 

♦  over  two  dozen  indexed,  unindexed,  fielded  data 
and  full-text  search  options 

♦  highlights  hits  in  HTML,  XML  and  PDF,  while 
displaying  links,  formatting  and  irii'MEH- 

♦  converts  other  file  types  (word  processor,  database, 
spreadsheet,  email  &  attachments,  ZIP,  Unicode, 
etc.)  to  HTML  for  display  with  highlighted  hits 

♦  Spider  supports  static  and  dynamic  Web  content, 
with  WYSWYG  hit-highlighting 

♦  optional  API  for  C++,  .NET,  Java,  SQL,  etc. 

Ask  about  new  .NET  Spider  API 


Developer  Quotes  andiReviews 


For  hundreds  more  reviews  and  developer 
case  studies,  see  www.dtsearch.com 

Contact  dtSearch  for  tally-functional 
evaluations 


dtSearch  vs.  the 
competition: 
“dtSearch  easily 
overpowered  the 
document  indexing 
and  searching 
abilities  of  other 
solutions, 
especially  against 
large  volumes  of 
documents” 

Reliability: 
“dtSearch  got  the 
highest  marks 
from  our  systems 
engineering  folks 
that  I've  ever 
heard  of” 

Results:  “customer 
response  has  been 
phenomenal” 


The  Smart  Choice  for  Text  Retrieval*'  since  1991 


“The  most  powerful 
document  search  tool  on 
the  market” 

—  Wired  Magazine 

“dtSearch ...  leads  the 
market” 

—  Network  Computing 

“Blindingly  fast” 

—  Computer  Forensics: 
incident  Response  Essentials 

“A  powerful  arsenal  of 
search  tools” 

—  The  New  York  Times 
“Super  fast,  super¬ 
reliable” 

—  The  Wall  Street  Journal 

“Covers  all  data  sources 
...  powerful  Web-based 
engines”  —  eWEEK 
“Searches  at  blazing 
speeds” 

—  Computer  Reseller  News 
Test  Center 


1  -800-IT=EINDS  *  wwwfdtsear ch.com 
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— - a  new  era  of  VoIP  analysis - 

You  convinced  management  to  deploy  VoIP. 
Now  ensure  that  it  will  run  smoothly. 

Rely  on  Network  Instruments'  Observer  to  help  keep 
VoIP  communications  running  at  optimal  performance. 


Reach  Respected  IT  Leaders  in 

COMPVTERWORLD  MM 
Marketplace  Advertising  Sectionj 

The  Computerworld  Marketplace  advertising  sectic 
reaches  more  than  1.8  million  IT  decision  makers 
week.  Marketplace  advertising  helps  Computerwor 
readers  compare  prices,  search  for  the  best  values; 
locate  new  suppliers  and  find  new  products  and 
for  their  IT  needs. 

■ 


----- 


©2006  Network  Instruments,  LLC  All  rights  reserved.  Network  Instruments,  Observer,  and  all  associated 
logos  are  trademarks  or  registered  trademarks  of  Network  Instruments,  LLC. 
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Learn  more. 

1-800-566-0919 

networkinstruments.com/voip 
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Computer:  Sys  Admin:  Build 
Solaris  servers  &  upgrade 
Solaris  O/S.  Install,  configure, 
&  manage  Veritas  Volume 
Manager,  File  system,  & 
Cluster  Server  on  Solaris. 
Install  Solstice  Disk  Suite, 
mirroring  the  root  disk  using  MD 
and  troubleshoot  with  Disk 
Suite  on  Solaris.  Install  & 
manage  WebSphere  Server, 
iPlanet  application  server  &  web 
server  for  content  management 
application.  Install  &  configure 
Big  Brother  for  server  &  client 
side  on  Solaris.  Monitor 
applications  using  Big  Brother, 
Topaz,  &  Sitescopte  monitoring 
tools.  Create  &  modify  Topaz 
&  Unix  Scripts.  BS  or  Equi 
CS,  MIS,  CIS,  Eng  (any),  Bus, 
Tech,  Math  or  related  w/2  yrs 
exp.  Salary  will  match  w/exp. 
Email  resume  info@infdim.com 
Or  mail  Infinite  Dimension, 
21351  Gentry  Drive,  Suite 
#265,  Sterling.  VA  20166. 


Computational  Genomics 
Consultant  needed  to  consult 
w/researchers  &  interact  w/users 
for  problem  solving;  write 
code/scripts,  set  up  bioinformat¬ 
ics  d-bases  &  integrate  s/ware  to 
streamline  procedures  for 
researchers;  create  &  present 
tutorials  &  workshops  on  bioinfor¬ 
matics,  genomics  &/or  proteomic 
s/ware  &  d-bases;  use  Unix,  Perl, 
Java,  Python,  C/C++  &  SQL. 
Ph.D.  &  exp.  req.  No  opportunity 
to  pursue  personal  research  pro¬ 
jects.  Send  resume  to:  U  of  MN 
Supercomputing  Inst,  Attn:  A. 
Johns,  499  Walter  Library,  117 
Pleasant  St.  SE,  Minneapolis,  MN 
55455 


Computer  system  analyst: 

MidTech  Software  Solutions,  Inc. 
in  Campbell,  CA.  Analyze  &  dvlp 
computer  system.  MS.  Req'd. 
SQL,  C#  VB.Net,  Sharepoint 
Portal,  XML,  and  Windows  Server 
OS  skills  Req’d.  e-mail: 
jobs@midtechsolutions.com  or 
mail  Attn:  HR  900  E.  Hamilton  Ave., 
Suite  100,  Campbell,  CA  95008 


Software  Engrs.  for  Santa 
Clara,  CA.  Design,  develop  & 
test  software  using  Java,  C, 
C++,  VB,  Winrunner,  SAP, 
Oracle,  Networking,  ASP,  RUP. 
Masters  or  Equiv.**  req.  in 
Computers,  Engr’g,  or  related 
field  +  lyr.  of  related  exp. 
(**Equiv.:  Bachelors  or  Equiv.  + 
5yrs.  of  progressive  related 
work  exp.).  Relocation  flexibility 
&  legal  authority  to  work  in  the 
U.S.  40  hrs/wk.  Send  resume 
HR,  Infobahn  Softword,  Inc., 
3140  DeLaCruz  Bl.  #101 ,  Santa 
Clara,  CA  95054. 


Labor 

Certification 

Ads 


Are  you  an  individual,  agency  or 
law  office  needing  to  place  ads 
to  fulfill  iegal  requirements? 

Let  us  help  you  put  together  an 
efficient,  cost  effective  program 
that  will  help  you  place  your  ads 
quickly  and  easily. 

For  more  details,  contact  us  at: 
800.762.2977 

it  (careers 


Programmer  Analysts  (P/A)  & 
Software  Engineers  (S/E)  for 
Edison,  NJ.  P/A:  Design  &  Develop 
software  applications  using  C++, 
Delphi,  ASP,  XML,  UML,  Coolgen, 
Interwoven,  Oracle,  PL/SQL, 
Developer  2000  &  Designer 
2000;  Bachelors  or  Equivalent 
req’d  in  Computers,  Engineering, 
math  or  related  field  of  study  +2 
yrs  of  related  exp.  S/E:  Design, 
Develop,  Test  Implement,  Maintain 
and  Coordinate  Installation  of 
software  applications  using  C,  C++, 
VB,  Delphi,  ASP,  Coolgen, 
Interwoven,  Tuxedo,  Tango,  Oracle, 
PL/SQL.  Developer  2000  & 
Designer  2000.  Masters  or 
Equivalent**  req'd  in  Computers, 
Engineering.  Math  or  related  field 
of  study  +  1  yr  of  related  exp. 
(**Eqv.:  Bachelors  or  Eqv.  +  5 
yrs  of  progressive  related  work 
exp).  May  be  relocated  to 
various  unanticipated  locations 
throughout  the  US.  40  hrs/Wk. 
Must  have  legal  authority  to  work 
permanently  in  the  U.S.  Send 
resume  to  HR.  Allied  Business 
Consulting.  Inc.,  34-36  Progress 
St..  Ste.  A-2,  Edison,  NJ  08820. 


Database  Administrator:  CoBank 
seeks  applicants  for  the  position 
of  Database  Administrator  in 
Greenwood  Village.  Design, 
install,  maintain  and  administer 
databases  using  both  Oracle 
and  SQL  Server  databases  that 
run  on  UNIX  (Sun  Solaris  or 
AIX)  and  Windows  operating 
systems.  Requirement  include 
Master's  degree  or  equivalent 
(Bachelor's  degree  plus  five 
years  progressive  experience) 
in  computer  science,  MIS, 
Engineering  or  related  field  and 
working  knowledge  of  designing, 
installing,  maintaining  and 
administering  databases  using 
both  Oracle  and  SQL  Server 
that  run  on  UNIX  (Sun  Solaris 
or  AIX)  and  Windows  operating 
systems  using  RDBMS,  Korn 
Shell  programming,  WebTrends, 
PVCS,  XML  and  HTML.  Working 
knowledge  of  installing,  configuring 
and  administering  PeopleSoft 
applications  using  PeopleTools. 
Respond  by  resume  to  Ron 
Lamberson  at  5500  S.  Quebec 
St.,  Greenwood  Village,  CO  80111. 


Software  Engineer  - 
Design,  develop  and  implement 
software  systems  for  such 
financial  systems  using 
WebLogic  Server,  LINUX, 
SYBASE  JMS,  JTA/XA,  UML, 
JAVA,  J2EE;  Min.  4  yrs.  exp.  in 
position  offered  or  Java/J2EE 
Architect/Developer  with  same 
duties  and  MS  Degree  in 
Comp.  Sci.,  Enng.  or  related 
field:  Salary  87,000  year.  Exp. 
ref.  req’d.  EOE.  Contact:  Onyx 
Infosoft,  Inc.,  6000  Medlock 
Bridge  Parkway,  Suite  C- 
100-365,  Alpharetta,  GA  30022 


Systems  Software  Engineer. 
Design,  develop  and  research 
system-level  and  application-level 
software  for  multi-tier  heterogeneous 
operating  environments  with  24/7 
availability,  for  financial  distributed 
B2B  and  B2C  applications  applying 
techniques  of  mathematical 
analysis.  Must  have  a  Bachelor  of 
Science  degree  or  U.S.  equivalent  in 
Electronic  Engineering  or  related 
field  plus  two  years  experience  as 
a  Software  Developer  or  related 
occupation.  Send  resume  to  Human 
Resources,  Insycom,  Inc.,  85  River 
Street,  Suite  4B,  Waltham,  MA02453. 


Infosys  Technologies  Ltd.  a 
worldwide  leader  in  software 
consulting  has  openings  for  the 
following  positions  in  Fremont,  CA 
location:  Project  Manager:  direct 
development  &  implementation 
of  complex  software  projects  for 
large  corp.  accounts.  Analyze  & 
assess  client’s  techn'l  needs  to 
define  solutions  &  design 
comprehensive  project  plans. 
Provide  techn'l  &  admin,  leadership 
for  onshore/offshore  team,  assign 
responsibilities,  review  work,  & 
direct  computer/software  eng. 
team  efforts.  Direct  daily  operations. 
BS  deg  &  5  yrs  exp  in  tech'l 
project  mgmt  &  distributed  /Global 
Delivery  env't,  offshore  delivery 
processes,  (ref  Job  CWLC06PM) 
Engagement  Manager:  develop 
new  business  opportunities,  create 
brand  awareness,  build  strategic 
relationships  w /  multinational 
corp.  accounts  for  sales  of 
large_scale  computer  services 
contracts  &  projects.  Serve  as 
primary  &  lead  contact  w/ 
large  scale  clients  (large  scale, 
multijocation  orgs.)  for  the  sale, 
delivery,  implementation,  &  support 
of  complex  software  and  business 
application  projects;  manage  contract 
&  pricing  negotiation;  maintain 
ongoing  relationships  w /  clients. 
Resolve  all  client  issues.  BS  in  eng 
field  &  5  yrs  exp  in  global  delivery 
systems  for  software  development 
services. (ref  Job  CWLC06EM) 
Sales  Manager:  develop  new 
business  opportunities,  analyze 
prospective  markets  &  clients; 
assess  client  business  needs; 
showcase  capabilities;  prepare  & 
present  business  proposals  that 
leverage  a  Global  delivery  Model; 
manage  contract  &  pricing 
negotiation;  maintain  ongoing 
relationships  w/  clients.  Manage 
&  direct  infrastructure/delivery 
issues  &  personnel.  MBA/MS  in 
Bus/Mgmt  &  BS  in  eng.  field  +  3 
yrs  exp  in  global  delivery  systems 
for  services. (ref  Job  CWLC06SM). 
Send  resume  (with  job  code 
reference)  to  HR/Recruitment, 
Infosys  Technologies  Two 
Adams  PI,  Quincy,  MA  02169. 


SR.  ASSOCIATE 
SOFTWARE  TEST  ENGINEER 

Bayer  Healthcare,  LLC  in 
Tarrytown,  NY  seeks  a  Sr. 
Associate  Software  Test  Engineer 
to  test  and  verify  requirements 
for  large  medical  diagnostic 
instruments  which  operate  on 
real-time,  user  interface  and 
database  platforms.  Master  of 
Science  degree  in  Computer 
Science,  Computer  Systems  or 
Business  (or  Bachelor's  degree 
in  one  of  the  computer-related 
disciplines,  together  with  five  (5) 
years  of  progressively  responsible 
employment  experience  in  position 
offered  or  as  a  Software,  R&D 
Engineer,  Programmer  Analyst 
or  Consultant  are  required.) 
Two  years  of  experience  in  the 
position  offered  or  as  programmer 
Analyst  of  Software  Programmer. 
Must  know  (through  academic 
background  or  work  experience): 
FDA  guidelines  for  the  software 
development  and  verification, 
as  well  as  automated  software 
testing,  including  Visual  Basic, 
SQL  Server,  WinRunner  and 
Quick  Test  Pro.  Experience  with 
ADVIA  Immuno  and  Chemistry 
Une/Centaur/WorkCeli/Lab  Cel! 
is  required.  Knowledge  of  at  least 
one  defect  tracking  system.  40 
hours/week,  overtime  as  required, 
8:00  a.m.  to  5:00  p.m.  Please 
submit  your  resume  via  email  to 
bayerdiag@trm.brassring.com. 


Computerworld 


Quantitative  Researcher.  Chicago, 
IL.  Responsible  for  all  aspects  of 
mathematical  modeling  of  stock 
returns,  including  creating  and  using 
algorithms,  cleaning  and  preparing 
data,  conducting  exploratory  data 
analysis,  performing  regression 
modeling  and  interpreting  results. 
Design  and  prototype  enterprise 
risk  management  system/ 
methodologies,  and  program  in 
compiled  languages,  including 
C/C++  and  Java.  Program  in 
high-level  statistical/mathematical 
analysis  languages,  including 
Matlab/Octave  or  S-Plus/R. 
Handle  large  datasets,  such  as 
Pert/Python,  SQL  and  Unix  scripting, 
and  build  database-driven  pricing 
and  risk  systems  and  report 
generator.  Help  build  analytical 
infrastructure.  Must  possess  a 
minimum  of  a  Master's  degree  in 
Applied  Mathematics,  Finance. 
Statistics  or  a  related  quantitative 
field,  or  the  foreign  equivalent. 
Must  have  three  years  of  relevant 
experience  to  include  C/C++  or 
Java  programming,  Perl/Python, 
SQL,  and  Unix  scripting.  Must  also 
have  one  year  experience  using 
Matlab/Octave  or  S-Plus/R.  Please 
send  cover  letter  and  resume, 
referencing  job  order  R-0043  to: 
qrjobs0043@citadelgroup.com 


Clariant  Corp.  seeks  SAP 
FI-CO  Team  Leader  for 
Charlotte  to  be  resp  for 
day-to-day  mgmt  of  SAP 
Finance  &  Controlling  technical 
support  team.  Will  create  & 
manage  FI  &  CO  work-plans 
for  related  SAP  modules 
during  SAP  rollout  projects. 
Req  Masters  in  Comp  Sci  or 
Bus  Admin  (Finance)  &  3  yr 
SAP  exp  in  Special  Chemical 
industry.  Mail  resume  to  Mgr, 
HR  Syst  &  Measures, 
Clariant  Corp,  4000  Monroe 
Road,  Charlotte,  NC  28205. 


Web  Projects  Manager 

Assist  faculty  in  all  aspects  of 
courseware  development,  the 
selection  and  integration  of 
appropriate  instructional  and 
research  technologies.  Bachelor's 
degree  in  information  systems, 
instructional  design,  educational 
technology,  or  related  field 
preferred.  Must  have  1-2  years 
experience  supporting  faculty  in 
using  technology  consistent 
with  the  instructional  and 
research  support  mission  of  the 
Academic  Technology  Center. 
Should  also  have  broad  experience 
in  the  selection,  development, 
and  use  of  research  and 
instructional  technology  and 
experience  with  a  variety  of 
programming  and  web  production 
tools  such  as  JavaScript, 
ASP,  PHP,  Visual  Basic,  and 
Macromedia  Dreamweaver. 
Flash,  and  Adobe  Photoshop.  To 
apply,  go  to  www.bentley.edu/jobs 


Software  Engrs.  for  Santa 
Clara,  CA.  Design,  develop  & 
test  software  using  Java,  C, 
C++,  VB,  Winrunner,  SAP, 
Oracle,  Networking,  ASP,  RUP. 
Masters  or  Equiv.**  req.  in 
Computers,  Engr’g,  or  related 
field  +  lyr.  of  related  exp. 
(**Equiv.:  Bachelors  or  Equiv.  + 
5yrs.  of  progressive  related 
work  exp.).  Relocation  flexibility 
&  legal  authority  to  work  in  the 
U.S.  40  hrs/wk.  Send  resume 
HR,  Infobahn  Softword,  Inc., 
3140  DeLaCruz  Bl.  #101,  Santa 
Clara,  CA  95054. 
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Computer/business  professionals  for  permanent  positions  w /  short  &  long 
term  assignments  to  various  unanticipated  locations  throughout  USA  for 
software  &  services  consulting  company  headquartered  in  Mountain  View,  CA. 

Business  Development  Managers 

I  (BDM200)  -BA  in  Bus  Admin,  Mgt.,  Finance  or  Acctg.  +  2  yrs  exp 

II  (BDM201)-  BA  in  Bus  Admin,  Mgt.,  Finance  or  Acctg.  +  5  yrs  exp 

III  (BDM202)-  MBA  or  MA  in  Mgt,  Finance  or  Acctg.  +  2  years  exp 

Business  Development  Managers  (  ERP) 

I  (BDMERP203)-BA  BusAdmin  or  Mgt/Fin/Acctg.  +  2  yrs  exp;  exp  w/  ERP  packages 

II  (BDMERP204)-BA  BusAdmin  or  Mgt/Fin/Acctg.  +  5  yrs  exp;  exp  w/  ERP  packages 

III  (BDMERP205)-  MBA  or  MA  in  Mgt/Fin/Acctg.  +  2  yrs  exp;  exp  w/  ERP  packages 

Business  Systems  Analysts 
I  (BSA206)  BA  in  BusAdmin,  Mgt.  Finance  or  Acctg. 

II  (BSA207)-  BA  Bus  Admin  or  Mgt/Fin/Acctg  or  equiv  +  2  yrs  exp  as  BSA 

III  (BSA208)-  BA  Bus  Admin  or  Mgt/Fin/Acctg  or  equiv  +  5  yrs  exp  as  BSA 

IV  (BSA209)  MBA  or  MA  in  Mgt/Fin/  Acctg  +  2  yrs  exp  as  BSA 
Technical  Business  Systems  Analysts  (BSA  w/technical  focus) 

I  (TBSA210)  BS  in  CS  or  Eng 

II  (TBSA211 )  BS  in  CS  or  Eng.  or  equiv  +  2  yrs  exp  as  BSA 

III  (TBSA212)  BS  in  CS  or  Eng  or  equiv  +  5  yrs  exp  as  BSA 

IV  (TBSA213)  MS  in  CS  or  Eng  +  2  yrs  exp  as  BSA 
Software  Engineers 

II:  (SE214)  BS  in  CS  or  Eng  or  equiv  +  2  yrs  exp 
III:  (SE215)  BS  in  CS  or  Eng  +  5  yrs  exp. 

IV:  (SE216)  MS  in  CS  or  Eng  +  2  years  exp 
Database  Administrators 
II:  (DBA217)-  BS  in  CS  or  Eng  or  equiv  +  2  yrs  exp 
III:  (DBA218)-BS  in  CS  or  Eng  +  5  yrs  exp 
Data  Warehouse  Architects 
(develop  data  model,  design  data  mart/warehouse) 

II:  (DWA219)-BS  in  CS  or  Eng  or  equiv  +2  yrs  exp 
III:  (DWA220)-BS  in  CS  or  Eng  +5  yrs  exp 
IV:  (DWA221)-MS  in  CS  or  Eng  +  2  years  exp 
e-Architects 

(plan  &  monitor  IT  projects,  provide  technical  input,  supervise  team) 

II:  (EA222)-  BS  in  CS  or  Eng  or  equiv  +2  yrs  exp 
III:  (EA223)-BS  in  CS  or  Eng  +5  yrs  exp. 

IV:  (EA224)-  MS  in  CS  or  Eng  +  2  yrs  exp 

ERP  Technical  Consultants 

(gather  customer  sys,  eng’g,  &  manuf  reqs;  design,  code  &  test  ERP  solutions) 
II:  (ERPTC225)-  BS  in  CS  or  Eng  or  equiv  +  2  yrs  exp 
III:  (ERPTC226)-  BS  in  CS  or  Eng  +  5  yrs  exp 
IV:  (ERPTC227)-  MS  in  CS  or  Eng  +2  yrs  exp 
Network  Systems  Administrators 
(NSA228)  -BS  in  CS  or  Eng  or  equiv  +2  yrs  exp 
(NSA229)  -BS  in  CS  or  Eng  or  equiv  +5  yrs  exp 
Sales  Engineers 

II:  (SALES230)BS  in  Eng  or  CS  or  equiv  +  2  yrs  exp. 

Ill:  (SALES231)BS  in  Eng,  CS  or  Scientific  Discipline  +5  yrs  exp 
Senior(SNSALES232)-MS  in  Eng  or  CS  +  2  yrs 

Program  Manager 

Business  Systems  (PMBS  233)  MBA  or  MA/MS  +2  yrs.  exp  (or  BA+5) 
Information  Technology  (PMIT  234)  MS  in  CS  or  Eng.+  2  yrs  exp  (or  BA  +5) 

To  apply  send  cover  letter  &  resume  to  Recruitment  Team,  Wipro  Ltd.,  Two 
Tower  Center  Blvd.,  #1100,  East  Brunswick,  NJ  08816.  Must  reference  job 
code  for  consideration.  Unrestricted  right  to  work  in  USA  required.  EOE. 


PROGRAMMER  ANALYST 

(Downers  Grove)  Plan,  develop, 
test  and  document  programs. 
Evaluate  user  requests  for  new  or 
modified  programs.  System  analysis 
for  configuration  with  different 
applications.  Analyze  programming 
problems  and  prepare  database 
scripts  and  technical  reports.  Convert 
project  specs  into  detailed  technical 
instructions.  Analyze  the  system 
issues,  development  limitations  and 
performance  issues.  Perform  client 
copies,  handle  STMS  transactions. 
Maintain  ALE  &  PFCG  Use  SAP 
R/3,  ABAP,  SAP  BW,  SAP  ITS, 
Oracle,  Windows,  Webstudb,  Basis 
Module,  BC  Connectors  &  IDocs. 
Bachelor's  degree  or  foreign 
equivalent  (will  accept  3  years  of 
Bachelor's  degree  and  additional 
3  years  of  work  experience)  in 
ComputerScience/Maths/Physics 
and  3  years  of  experience. 
Send  Cover  Letter/Resume  to 
HR.  Prosoft  Technology  Group 
Inc.,  2001  Butterfield  Road, 
305,  Downers  Grove,  IL  60515. 


Director,  Software  Development. 
Responsible  to  dvlp  plans/ 
schedules  for  programming 
activities  for  business  data 
processing.  Lead  3-5  dvlopers. 
Oversee  design/implementation 
of  system  architecture  &  dvlpment. 
Master  degree  in  CS  or  Eng  with  4 
yrs  exp  (or  Bachelor's  with  7  yrs  exp) 
Skills  in  Enterprise  Application 
Architecture  for  e-commerce 
and  database  architecture  req. 
Good  communication  skills. 
Send  resume  to  HR  Dept., 
NutriSystem  Inc.  300  Welsh  Road, 
Horsham,  PA  19044.  Job#DSD. 


BT  Radianz  seeks  Head  of 
Technical  Solutions,  North  America 
to  direct  and  manage  pre-sales 
technical  support  organization  in 
support  of  high-performance, 
secure  global  data  networks 
and  services  for  the  financial 
services  industry.  Oversee  network 
engineering  support  to  sales  and 
account  management  organization 
in  providing  technical  solutions 
including  network  delivery  of 
marketdata  feeds  using  Multicast 
technology;  order  execution 
services  using  FIX  protocol;  and 
Order  Management  System 
connectivity,  all  offered  over 
secure,  high-availability,  global 
extranet  and  IP  networks.  Work 
with  product  management  to 
identify  gaps  in  electronic  trading 
and  market  data  delivery  product 
portfolio  and  to  develop  new  product 
features  based  on  customer 
demand.  Provide  technical  and 
strategic  support  for  large  deals. 
Requires  a  Master's  degree  or 
foreign  degree  equivalent  in 
Engineering,  Telecommunications 
or  a  directly  related  field  and  at 
least  3  years  of  experience  in  IP 
network  engineering  and  pre-sales 
support  for  financial  services 
customers.  Prior  experience  must 
include  the  provision  of  network 
related  technical  solutions  including 
marketdata  delivery  using  Multicast 
technology,  order  execution 
services  using  FIX  protocol  and 
Order  Management  System 
connectivity,  offered  over  secure, 
high  availability,  global  extranet 
IP  networks.  Position  is  located 
in  New  York  City.  Send  resumes 
(please  ref.  code  CW04060B) 
to  BT  Radianz  do  Computerworld, 
IT  Careers,  One  Speen  St  , 
Framingham,  MA  01701-9171. 
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Bird  Flu 

CIOs  said  the  possibility  of  a 
major  flu  outbreak  isn’t  that 
big  of  concern  for  them,  de¬ 
spite  warnings  dating  back  to 
early  last  year  from  the  federal 
government,  international 
groups  and  consulting  firms 
such  as  Gartner  Inc. 

“I  don’t  view  [pan¬ 
demic  preparations]  as 
that  important,”  said 
Amy  Fowler,  president  of 
the  Colorado  chapter  of 
the  Society  for  Informa¬ 
tion  Management  and  an 
IT  management  consul¬ 
tant  to  large  companies. 

“What  are  the  odds  of  [a 
long  quarantine]  hap¬ 
pening?  We  have  bigger  issues 
in  IT  than  that  one.” 

Dave  Berg,  CIO  at  O.C. 
Tanner  Co.,  a  provider  of 
employee-recognition  prod¬ 
ucts  and  services  in  Salt  Lake 
City,  also  hasn’t  made  plan¬ 
ning  for  a  possible  flu  outbreak 
an  action  item.  Berg  noted 
that  most  of  his  employees 
have  secure,  high-speed  com¬ 
puter  access  at  home  and  that 
most  operations  can  be  done 
remotely.  “I  do  not  think  we 
would  have  a  serious  problem 
here  with  keeping  our  comput¬ 
ers  and  applications  services 
available,”  he  said. 

Gartner  has  issued  several 
advisories  about  a  possible 
pandemic,  urging  IT  shops 
to  prepare  for  the  need  to  up¬ 
grade  broadband  and  virtual 
private  network  connections 
to  the  homes  of  key  workers 
and  beef  up  their  online  order¬ 
ing  capabilities  for  customers. 

In  a  31-page  report  issued 
March  7,  the  consulting  firm 
listed  in  stark  detail  three  sce¬ 
narios  for  a  global  spread  of 
the  avian  flu  or  another  virus, 
from  mild  to  severe.  In  the 
most  severe  scenario,  several 
million  people  would  die  and 
the  pandemic  could  last  for  a 
year  or  longer,  despite  strict 
quarantines.  Many  businesses 
would  cease  to  operate,  travel 


would  be  restricted,  and  work¬ 
place  communications  would 
often  be  done  via  phone,  vid¬ 
eoconferencing  and  e-mail. 

But  Gartner  analyst  Ken 
McGee  last  week  rated  overall 
corporate  preparation  levels  at 
only  a  2  or  3  on  a  scale  from  1 
to  10.  “Maybe  pandemic  plan¬ 
ning  isn’t  the  most  important 
thing  facing  a  company,  but 
it  should  be  in  the  top 
two,”  McGee  said,  sug¬ 
gesting  that  tight  IT 
budgets  might  be  keep¬ 
ing  some  companies 
from  moving  more 
quickly  to  prepare. 

The  biggest  mistake 
companies  are  making 
is  assuming  that  their 
existing  continuity 
plans  will  work  in  the 
event  of  a  pandemic,  McGee 
added.  “Unlike  earthquakes 
and  hurricanes  and  bombs, 
which  are  geographically  con¬ 
fined,  a  pandemic  is  not,”  he 
said.  “At  Gartner,  we  can’t  com¬ 
prehend  what  IT  is  thinking  on 
this,  because  a  pandemic  is  the 
gift  that  keeps  on  giving.” 

Kevin  Desouza,  an  assistant 
professor  at  the  University 
of  Washington’s  Informa- 


Prep  Work 


What  IT  managers  should 
do  to  prepare  for  a  possible 
avian  flu  pandemic: 

■  Make  your  workforce  aware 
of  the  threat  and  what  you’re 
doing  to  prepare  for  it. 

■  Establish  or  broaden  work-at- 
home  policies  that  include  the 
use  of  broadband  services,  ap¬ 
propriate  security  and  network 
access  to  applications. 

■  Expand  online  transaction¬ 
processing  and  self-service 
options  for  customers  and 
business  partners. 

z  ■  Invest  in  videoconferencing 
°  technology  to  use  if  travel 

°  restrictions  are  imposed. 

s  ■  Work  with  customers  and 

o  partners  to  minimize  disrup- 

l  tions  by  coordinating  crisis- 

t  response  capabilities. 

< 
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LAWRENCE 

U  says 
his  company  is 
brainstorming 
various  disas¬ 
ter  scenarios. 


IT  Staffing  Issues  Play  a  Role  in  Pandemic  Planning 


PREPARATIONS  FOR  an  avian  flu 
pandemic  are  extending  beyond  IT 
infrastructure  and  network  issues 
to  staffing  considerations,  including 
what  to  do  if  critical  workers  die  or 
if  a  business  temporarily  closes  and 
then  needs  to  staff  up  again  when 
it  reopens. 

Ellen  Barry,  CIO  at  the  Metropoli¬ 
tan  Pier  and  Exposition  Authority 
in  Chicago,  said  her  organization’s 
conference  facilities  would  probably 
close  during  a  pandemic,  but  staff¬ 
ers  would  need  to  remain  on  the 
payroll  and  be  able  to  communicate 
with  one  another  and  with  custom¬ 
ers  to  plan  future  shows.  A  similar 
situation  occurred  when  business 


travel  slowed  after  the  9/11  terrorist 
attacks,  Barry  said. 

Andy  Wihtol,  founder  of  Andrew 
Associates  Executive  Search  in 
Lake  Oswego,  Ore.,  said  IT  organi¬ 
zations  need  to  “think  about  having 
a  bench,  like  a  farm  league  in  base¬ 
ball.”  Companies  should  have  not 
only  in-house  successors  ready  to 
step  in  for  missing  workers  but  also 
potential  outside  replacements  for 
critical  positions,  Wihtol  said.  “You 
identify  two  to  three  people  who 
[could]  come  in  if  a  key  person  left 
or  died,  and  then  stay  in  touch  with 
them,”  he  said. 

Kevin  Desouza,  an  assistant 
professor  at  the  University  of 


Washington's  Information  School  in 
Seattle,  said  some  large  companies 
are  dealing  with  the  possible  loss  of 
critical  workers  by  cross-training  IT 
staffers  in  different  jobs  and  skills. 
“That  way,  if  somebody  goes,  the 
new  worker  doesn’t  have  to  learn 
everything  from  scratch,”  Desouza 
said. 

He  added  that  if  a  pandemic  oc¬ 
curs  and  IT  workers  are  left  idle  be¬ 
cause  business  productivity  is  down, 
it  could  be  a  good  time  for  them  to 
do  home-based  training  or  work  on 
new  technologies  that  might  have 
been  shelved  previously.  “You  need 
to  keep  workers  engaged,”  he  said. 

-MATT  HAMBLEN 


tion  School  in  Seattle,  said 
he  knows  of  “only  a  very  few 
companies”  that  have  sys¬ 
tematic  plans  for  monitoring 
whether  a  crisis  is  coming  and 
for  responding  before  a  pan¬ 
demic  hits. 

“The  chief  complaint  of 
CIOs  is  that  they  walk  a  fine 
line  between  saying,  ‘The  sky 
is  falling’  and  educating  peo¬ 
ple  [about]  the  inherent  risks 
associated  with  a  pandemic 
crisis,”  he  said. 

Small  and  midsize  business¬ 
es  in  particular  are  “way  down 
the  list”  in  terms  of  prepared¬ 
ness,  Desouza  added. 

Some  IT  managers  said 
they’re  working  to  adapt  their 
companies’  business  conti¬ 
nuity  plans  to  a  potentially 
widespread  and  long-duration 
pandemic.  “In  a  pandemic, 
people  would  have  to  stay  at 
home  to  prevent  the  spread  of 
whatever  the  virus  is,  so  we 
need  to  find  ways  to  [support] 
that,”  said  Ellen  Barry,  CIO  at 
the  Metropolitan  Pier  and  Ex¬ 
position  Authority  in  Chicago 
and  president  of  that  city’s  lo¬ 
cal  SIM  chapter. 

For  example,  to  limit  the 
amount  of  data  traffic  that 
moves  across  network  pipes, 
Barry  is  considering  putting 
the  bulk  of  the  authority’s 
applications  on  centralized 


servers,  following  the  concept 
behind  WAN  optimization 
products  from  vendors  such  as 
Citrix  Systems  Inc. 

Barry  said  she  has  been 
planning  for  a  pandemic  for 
six  months  and  recently  at¬ 
tended  two  conferences  where 
the  topic  was  addressed. 

Another  potential  prob¬ 
lem,  Barry  said,  is  that  even 
if  workers  have  appropriate 
broadband  connectivity  and 
good  PCs  to  use  at  home,  they 
probably  won’t  be  as  produc¬ 
tive  as  usual  if  they  are  sick  or 
involved  in  caring  for  some¬ 
one  who  is  ill. 

Just  in  Case 

Lawrence  Robert,  director  of 
business  continuity  at  a  large 
financial  services  firm  based 
in  New  England,  said  his  com¬ 
pany,  which  he  asked  not  be 
named,  has  begun  expanding 
its  planning  processes  to  in¬ 
clude  a  possible  pandemic. 

The  company  is  brainstorm¬ 
ing  disaster  scenarios  inter¬ 
nally  and  sending  detailed 
questionnaires  to  its  telecom¬ 
munications  carriers  seeking 
assurances  that  they  will  be 
able  to  handle  network  loads 
in  residential  areas  efficiently 
and  securely  if  a  pandemic 
occurs,  said  Robert,  who  is  a 
director  of  the  1,200-member 


New  England  Disaster  Recov¬ 
ery  Information  X-change. 

Some  carriers  have  said  that 
if  broadband  customers  who 
need  to  work  from  home  sign 
up  in  advance  of  a  pandemic, 
there  should  be  enough  net¬ 
work  capacity  in  the  event  of 
quarantines. 

But  “that’s  not  necessarily 
true,”  Robert  said.  His  com¬ 
pany  is  taking  into  consider¬ 
ation  the  distances  between 
the  homes  of  critical  workers 
and  the  central  offices  of  their 
broadband  providers.  One  goal 
of  the  ongoing  research  is  to 
help  company  officials  decide 
how  many  more  laptops  and 
VPNs  need  to  be  deployed. 

Robert  doesn’t  care  whether 
the  odds  of  a  pandemic  occur¬ 
ring  are  low  or  high.  “Business 
continuity  planners  don’t  look 
at  cause  so  much  as  effect,”  he 
said.  “So  whether  there’s  a  fire 
or  a  bomb  or  a  pandemic,  [if] 
the  building  is  out,  the  work¬ 
force  has  to  be  disseminated.” 
The  biggest  difference  might 
be  that  the  period  of  disrup¬ 
tion  could  last  longer  during  a 
pandemic  than  it  would  during 
another  event,  he  added. 

However,  Desouza  noted 
that  a  pandemic  could  produce 
“things  that  we  did  not  predict, 
which  can  combine  to  cause 
problems  we  didn’t  imagine.”  » 
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Routed  by  Rootkits 


CALL  it  the  worst  work-around  ever.  How  else  to  describe 
the  advice  from  Mike  Danseglio,  a  Microsoft  security 
guru,  to  wipe  and  reinstall  Windows  on  any  PC  infected 
with  an  insidious  malware  known  as  a  rootkit?  Danseglio 
grabbed  some  headlines  this  month  when  he  told  an  au¬ 
dience  at  the  InfoSec  World  security  conference  that  once  a  rootkit 
digs  in,  there’s  no  sure  way  to  get  rid  of  it  short  of  nuking  Windows 
and  starting  from  scratch. 

But  it  turns  out  his  suggestion  isn’t  new.  Danseglio’s  been  giving 
that  advice  for  most  of  a  year.  He  wrote  a  Microsoft  “Security  Tip  of 
the  Month”  that  said  the  same  thing  last  October. 

And  it’s  good  advice.  But  as  a  work-around,  it’s  terrible. 


It’s  good  advice  because  Danseglio’s  probably 
right:  There’s  no  other  way  to  root  out  a  rootkit. 
We  can  try  to  prevent  infections  —  with  firewalls, 
virus  scanners,  software  patches  and  updates. 

But  once  a  rootkit  is  in,  it’s  in.  It  spreads  its  hooks 
everywhere.  Rootkits  are  like  cancer.  You  can 
cut  out  the  obvious  tumor,  but  there’s  no  way  to 
be  absolutely  sure  you’ve  removed  every  malig¬ 
nant  cell  from  a  patient’s  body. 

We  can’t  eliminate  biological  cancers  with  a 
wipe  and  reinstall.  But  we  can  get  rid  of  rootkits 
that  way.  And  if  there’s  nothing  better,  it’s  a  real¬ 
istic  tactical  approach  to  the  problem. 

But  it’s  still  an  awful  work-around.  Why?  Be¬ 
cause  a  work-around  should  be  a  trade-off,  a  ra¬ 
tional  decision  about  how  to  use  resources.  Work¬ 
arounds  make  sense  when  they  cost  less  than 
fixing  underlying  problems.  But  a  work-around’s 
cost  piles  up  over  time.  Eventually  you  do  want 
those  underlying  problems  fixed. 

In  Windows,  that’s  not  going  to  happen.  The 
rootkit  vulnerabilities  go  to  the  core  of  Windows. 
They’re  not  just  bugs;  they’re  flaws  in  Windows’ 
basic  design.  Waiting  for  Microsoft 
to  fix  them  is  pointless.  Microsoft 
doesn’t  have  a  fix,  at  least  not  short 
of  entirely  ripping  out  and  replacing 
the  guts  of  Windows. 

And  the  only  trade-off  is  that  we 
foot  the  bill  for  Microsoft’s  years  of 
failure  to  secure  Windows. 

Yes,  some  rootkits  will  be  blocked 
by  tighter  security  in  Vista  when  it 
finally  arrives  —  but  not  all  rootkits. 

The  soonest  we  can  hope  for  a  com¬ 
pletely  rearchitected,  rootkit-proof 
Windows  is  literally  years  from  now. 

And  Microsoft  has  yet  to  promise 
anything  like  that. 


Meanwhile,  we  don’t  have  just  one  work¬ 
around  for  the  rootkit  problem.  We  can  actually 
try  three  different  approaches. 

Option  A:  Nuke  and  restore.  You  can  automate 
the  process.  It  might  even  become  smooth  —  for 
IT.  But  don’t  underestimate  the  cost  in  lost  pro¬ 
ductivity  for  users,  who’ll  still  have  to  adjust  set¬ 
tings,  rebuild  their  desktops  and  shortcuts,  and 
reinstall  their  own  applications  (yes,  they  have 
them,  even  if  they  don’t  tell  IT  about  them). 

Option  B:  Change  your  Windows  architecture.  You 
can  run  Windows  applications  from  a  termi¬ 
nal  server  like  Citrix.  Or  virtualize  them  with 
Softricity.  Or  move  everything  to  blades.  Yeah, 
it’s  a  pricey  transition,  and  it’ll  shake  up  users. 
You’ll  also  probably  need  a  lot  more  network 
bandwidth.  But  rebuilding  all  those  PCs  will  be 
easier  if  it’s  ever  necessary. 

Option  C:  Abandon  Windows.  Whether  that 
means  Web-based  apps  or  Linux  or  Macs  or 
terminals,  it’s  likely  to  be  the  most  disruptive 
and  costly  option  in  the  short  term  for  both 
users  and  IT,  and  it  will  radically  change  what 
your  IT  shop  does. 

None  of  those  options  is  a  true 
trade-off.  The  cost  and  effort  is  all 
ours.  We’re  facing  complex  and  ex¬ 
pensive  choices,  with  no  certainty 
that  we’ll  ever  see  the  underlying 
flaws  fixed.  Right  now,  it’s  all  Micro¬ 
soft  can  do  to  fix  surface-level  prob¬ 
lems  like  buffer  overflows. 

It’s  going  to  require  a  completely 
new  Windows  core  to  finally  purge 
the  rootkit  cancer  for  good.  And 
that’s  going  to  take  a  very  hard,  very 
expensive  decision  by  Microsoft. 

Not  just  the  worst  of  work¬ 
arounds  for  us. » 


FRANK  HAYES,  Computer- 
world's  senior  news  columnist, 
has  covered  IT  for  more  than 
20  years.  Contact  him  at  frank. 
hayes@computerworld.com. 


What  the  @#$°/o!  Is  Wrong? 

Spam  filter  catches  an  outgoing  e-mail  message 
with  language  that  would  make  a  sailor  blush,  and  IT 
pilot  fish  forwards  it  to  HR,  as  required  by  company 
policy.  Turns  out  there's  an  explanation  -  sort  of. 
“The  employee  said  his  home  e-mail  wasn’t  working, 
or  so  he  thought,”  says  fish.  “So  he  drafted  an 
expletive-filled  missive  at  work  and  sent  it  to  his 
home  e-mail  account.  Not  receiving  it,  he  concluded 
that  his  home  e-mail  wasn’t  working  and  contacted 
his  ISP.  There  really  is  no  cure  for  stupid.” 


Aha! 

Remote  office 
can’t  access 
the  system  at 
headquarters 
one  day,  so  HQ  pilot 
fish  tests  the  remote 
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equipment.  “Neither  the 
router  nor  the  CSU/DSU, 
which  connects  the 
office  LAN  to  the  dedi¬ 
cated  circuit,  could  be 
looped,”  says  fish,  who 
calls  the  phone  compa¬ 
ny.  Several  hours  later, 
telco  calls  back  with  the 
answer:  “The  smartjack, 
CSU/DSU,  router,  dumb 
terminal  and  printer 
were  all  gone,”  sighs 
fish.  “Everything  had 
been  stolen.” 

Useless 

User’s  personal  mouse 
won’t  work  with  her  lap¬ 
top,  and  she  demands 
that  pilot  fish  fix  it  right 
away.  “She  said,  ‘Look, 
the  laptop  is  not  get¬ 
ting  the  information 
from  the  mouse,’  ”  says 
fish.  “I  asked  where  the 
receiver  to  the  wireless 
mouse  was.  She  looked 
at  me  like  I  was  an  idiot. 
‘Isn’t  this  a  wireless  lap¬ 
top?  Here’s  my  wireless 
mouse.  They  should  go 
together.’  Again,  I  asked 
where  the  what-a-ma- 
thing  with  the  black  ca¬ 
ble  was.  ‘I  got  rid  of  the 
extra  stuff,’  says  user. 

‘It  wasn’t  needed.’  ” 


so  local  governments 
can  file  reports  with  the 
agency  electronically, 
reports  a  pilot  fish  in 
the  mix.  “Finally,  they 
send  out  an  e-mail  with 
an  attached  form,”  fish 
says.  “It  reads:  ‘From 
this  point  forward,  re¬ 
ports  will  be  submitted 
via  the  Internet.  Print 
and  fill  out  the  attached 
Word  document  and  fax 
it  back  to  us.’  ” 

Ch-ch-changes 

Consultant  pilot  fish 
spends  a  month  model¬ 
ing  a  client’s  shift  to  a 
new  change-manage¬ 
ment  system.  Then 
comes  the  big  day  to 
switch  things  over.  “I 
flew  1,500  miles  to  baby¬ 
sit  it,”  says  fish.  “But 
a  systems  tech  -  who 
also  was  a  big  fan  of  the 
old  system  -  refused 
to  allow  the  cutover  to 
proceed.  ‘There  is  no 
change  order  in  the  sys¬ 
tem  authorizing  this,’  he 
insisted.  Of  course,  he 
was  right.  Nobody,  in¬ 
cluding  me,  had  thought 
to  enter  a  change  to 
change  the  change 
system.” 


©CHANGE  IS  GOOD.  But  sending  me  your  true  tale 
of  IT  life  at  sharky@computerworld.com  is  better. 
You’ll  snag  a  snazzy  Shark  shirt  if  I  use  it.  And  check  out 
Sharky's  blog,  browse  the  Sharkives  and  sign  up  for  Shark 
Tank  home  delivery  at  computerworld.com/sharky. 
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